I'm running a devpi server behind a reverse proxy (Nginx) to handle TLS and serve packages via HTTPS. The server is running in a corporate network behind a firewall and uses a self-signed certificate. The company's intermediate and root CA are trusted in

• all OS certificate stores (injected by corporate IT), and
• all Java certificate stores (injected on demand with keytool),

but I have not yet found a way to also trust them by default in Python certificate stores distributed with certifi. This becomes even harder when using virtual environments for devpi-client or after updating certifi to a newer version. For pip, there seems to be good solution available in truststore, which allows the use of the OS certificate store over the certifi certificate store.

pip install foo --index-url https://devpi.example.com --trusted-host devpi.example.com    // works
pip install foo --index-url https://devpi.example.com --use-feature truststore            // works
devpi use https://devpi.example.com/org/repo                                              // CERTIFICATE_VERIFY_FAILED

The current workaround is to permit HTTP traffic on a non-default port, only to be used by devpi-client. That defeats the purpose of TLS. Can devpi-client please support truststore, either in addition to or instead of certifi?