@and answered this best in 2017, and I think we've all given this person enough to to post what I think is the best answer as an answer. So now I'm doing it, after posting upvote #42 (such a fitting #) to the comment that saved my bacon. But we digress. Combining the well-celebrated answer with @and's golden comment...

You can set the environment variable REQUESTS_CA_BUNDLE so you don't have to modify your code:

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

The improvement, if it's not clear is this: /etc/ssl/certs/ca-certificates.crt will contain not merely any self-cert you added to your trust store, but also all of the other standard certs. That's a big deal, because, for example, I ran into a situation where when REQUESTS_CA_BUNDLE was set to just my self-cert, the AWS CLI could no longer authenticate. (Don't ask me why AWS cares about REQUESTS_CA_BUNDLE. I don't know. I do know, however, that using ca-certificates.crt solved the problem.