If you are behind a proxy that breaks SSL (basically it does a man-in-the-middle attack, hopefully with your consent, typically for deep inspection) you may need to tell pip to use the system certificate store (presuming that trusts the proxy’s certificate), rather than its embedded one, via the PIP_CERT environment variable.

A quick bash script that one can source to do this on Debian derived distributions (including Ubuntu) and Red Hat derived distributions (including CentOS, AlmaLinux and Rocky):

# Force pip to use the system certificates instead of its own bundle.
# Necessary if behind a proxy that breaks end-to-end SSL.
if [ -f /etc/debian_version ]
    export PIP_CERT=/etc/ssl/certs/ca-certificates.crt
elif [ -f /etc/redhat-release ]
    export PIP_CERT=/etc/ssl/certs/ca-bundle.crt
    echo "Unsupported distribution, unable to set PIP_CERT correctly." >&2