Module delete_orphans behaves different from other modules regarding TLS certificates

[netsandbox]

I have a Pulp server (container deployment) behind a proxy (traefik).
The proxy uses a TLS certificate from a local CA.
The proxy presents the TLS server certificate and the intermediate certificate to the clients.
The host where Ansible runs hast the TLS root certificate stored in the OS trusted certificate store.

Other modules (rpm_remote, rpm_repository, rpm_sync, rpm_distribution) works fine with this configuration.

Running the delete_orphans module results in:

TASK [pulp_repos : Delete orphans] *********************************************
fatal: [pulp-api-dev]: FAILED! => changed=false 
 msg: 'HTTPSConnectionPool(host=''pulp.server'', port=443): Max retries exceeded with url: /pulp/api/v3/docs/api.json (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'')))'

Currently I use for the pulp.squeezer.delete_orphans module:

validate_certs: false

as a workaround.

[mdellweg]

Ohh, you may realize that this effects all the modules already rewritten to pulp-glue.
I think, what you are experiencing here is: psf/requests#6726, psf/requests#6731

Is there any chance, you can revert to an older version of requests, until they get it sorted out?

[netsandbox]

I reverted back to requests~=2.29.0 but still experience the same error.
But then I remembered that I had for a long time on my Ubuntu workstation in /etc/profile.d/python_requests.sh this:

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Using this (or the equivalent REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt for RHEL based OS) works for me also with a recent requests version.