Taught https-download to trust system certstore.

fixes #3036.

CHANGES/3036.bugfix

@@ -0,0 +1 @@
+Taught downloader to trust system-cert-store on HTTPS proxy connections.

pulpcore/download/factory.py

@@ -120,6 +120,8 @@ def _make_aiohttp_session_from_remote(self):
             sslcontext.verify_mode = ssl.CERT_NONE
         if sslcontext:
             tcp_conn_opts["ssl_context"] = sslcontext
+            # Trust the system-known CA certs, not just the end-remote CA
+            sslcontext.load_default_certs()
 
         headers = MultiDict({"User-Agent": DownloaderFactory.user_agent()})
         if self._remote.headers is not None:

pulpcore/tests/functional/api/using_plugin/test_proxy.py

@@ -4,6 +4,7 @@
 from pulpcore.client.pulp_file import (
     RepositorySyncURL,
 )
+import sys
 
 
 def _run_basic_sync_and_assert(
@@ -163,3 +164,34 @@ def test_sync_http_through_https_proxy(
         file_content_api_client,
         monitor_task,
     )
+
+
+@pytest.mark.parallel
+def test_sync_https_through_https_proxy(
+    file_remote_ssl_factory,
+    file_repo,
+    file_bindings,
+    file_content_api_client,
+    https_proxy,
+    basic_manifest_path,
+    monitor_task,
+):
+    """
+    Test syncing http through an https proxy.
+    """
+    if not (sys.version_info.major >= 3 and sys.version_info.minor >= 11):
+        pytest.skip("HTTPS proxy only supported on python3.11+")
+    remote_on_demand = file_remote_ssl_factory(
+        manifest_path=basic_manifest_path,
+        policy="on_demand",
+        proxy_url=https_proxy.proxy_url,
+        tls_validation="false",
+    )
+
+    _run_basic_sync_and_assert(
+        remote_on_demand,
+        file_repo,
+        file_bindings,
+        file_content_api_client,
+        monitor_task,
+    )