Python uses OpenSSL but will only use the system certificates if explicitly told so. The path to the ca cert bundle must either be hardcoded in the app or configured. See for instance http://mercurial.selenic.com/wiki/CACertificates#Fedora.2FRHEL . That should be taken into consideration for this feature. But it is not obvious how.
The best and least intrusive solution might be to modify Python to always use the system certificates, especially when no certs has been specified. That is apparently what OS X do. Kiilerix (talk) 23:53, 23 January 2013 (UTC)