New poster unable to comment yet - but here's an additional option and clarification if you have a non-default trusted SSL certificate, such as when using corporate internet monitoring software like ZScaler.
Assuming you have a new trusted.pem file, you may need to append this trusted.pem to the certificate at the path python -m certifi, AND, set this concatenated .pem file to the REQUESTS_CA_BUNDLE variable.
It may not work if you only set REQUESTS_CA_BUNDLE to trusted.pem.
Tested on Windows 10. Related variables are AWS_CA_BUNDLE, SSL_CERT_FILE, and CURL_CA_BUNDLE, though these need to be set to trusted.pem only on your local, not to the concatenated version.
For whatever reason, inside a Dockerfile, these ENV variables need to be the concatenated.pem file (after relevant COPY commands of course)
