Explicitly use certificate chain.

pillar/application/modules/blender_id.py

@@ -170,6 +170,7 @@ def validate_token(user_id, token, oauth_subclient_id):
     # Retry a few times when POSTing to BlenderID fails.
     # Source: http://stackoverflow.com/a/15431343/875379
     s = requests.Session()
+    s.verify = current_app.config['TLS_CERT_FILE']
     s.mount(blender_id_endpoint(), HTTPAdapter(max_retries=5))
 
     # POST to Blender ID, handling errors as negative verification results.

pillar/config.py

@@ -1,5 +1,10 @@
 import os.path
 from collections import defaultdict
+import requests.certs
+
+# Certificate file for communication with other systems.
+TLS_CERT_FILE = requests.certs.where()
+print('Loading TLS certificates from %s' % TLS_CERT_FILE)
 
 RFC1123_DATE_FORMAT = '%a, %d %b %Y %H:%M:%S GMT'