hi @light !
You may have a http ssl proxy of some sort, like zscaler or fortigate.
You can work around this by getting the Root CA and patching the certifi one.
This is an example for zscaler:
cat ZscalerRootCA.pem >> $(python -m certifi)
Let me know if this is your scenario.
Thanks