[BUG] Salt not using installed self signed ca certificates for http request

[dgengtek]

Description
Salt is not picking up my custom installed ca certificates and any http query to any hosts with issued certificates of that ca are unable to be verified.

$ sudo salt "myhost" http.query "https://vault:8200/v1/sys/seal-status"
Error running 'http.query': HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: /v1/sys/seal-status (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))

The same does work for example with curl from the same host

$ curl  -X GET 'https://vault:8200/v1/sys/seal-status'
{"type":"shamir","initialized":true,"sealed":false,...}

Setup
I have a self signed pki with the ca certificates installed on the host in /usr/local/share/ca-certificates/ and ran the command for linking to the local ca store with

$ sudo update-ca-certificates --verbose --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
Doing .
...
link intranet0.pem -> 0c84b26d.0
link intranet1.pem -> 0c84b26d.1
...

Steps to Reproduce the behavior
Install self signed ca certificates. Do a http request with salt to an endpoint which has an issued certificate of that ca.

Expected behavior
Salt is able to pick up the ca certificates which have been linked to /etc/ssl/certs by the operating system to verify any issued certificates.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3002.2

Dependency Versions:
          cffi: Not Installed
      cherrypy: 8.9.1
      dateutil: 2.7.3
     docker-py: Not Installed
         gitdb: 2.0.5
     gitpython: 2.1.11
        Jinja2: 2.11.2
       libgit2: 0.27.7
      M2Crypto: 0.35.2
          Mako: Not Installed
       msgpack: 1.0.0
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.19
      pycrypto: 2.6.1
  pycryptodome: 3.9.9
        pygit2: 0.27.4
        Python: 3.7.3 (default, Jul 25 2020, 13:03:44)
  python-gnupg: Not Installed
        PyYAML: 5.3.1
         PyZMQ: 20.0.0
         smmap: 2.0.5
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.3

System Versions:
          dist: raspbian 10 buster
        locale: UTF-8
       machine: armv7l
       release: 4.19.75-v7l+
        system: Linux
       version: Raspbian GNU/Linux 10 buster

Additional context
It worked with v2019. I guess it stopped working since some dependencies got bundled with salt?

Which certificate store is saltstack using?

[dgengtek]

Never mind. Since saltstack is using request for the http request I had to export the environment variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to use the ca store of the operating system instead of the bundled ca store of request.