With this command, you verify the company the certificate comes from:
openssl s_client -connect pypi.python.org:443
Result:
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3
verify error:num=20:unable to get local issuer certificate
You don't have the root certificate for it... then you download DigiCertAssuredIDRootCA.crt from: https://www.digicert.com/digicert-root-certificates.htm
And use it with -CAfile
:
openssl s_client -connect pypi.python.org:443 -CAfile DigiCertAssuredIDRootCA.crt
Now it works!