aws-sam-cli ignores the system TLS CA store on upgrades

[acdha]

My employer recently instituted SSL inspection using a tampering proxy. This was seamless for most of my clients because the CA is installed in the system stores (both the Keychain root and /etc/ssl/cert.pem) but aws-sam-cli failed to upgrade because it does not use either of those locations. This is also slightly hard to resolve because it deletes the virtualenv when the install fails so you can't fix it and resume.

In case anyone else encounters this, I made two changes which resolved this:

1. pip3.8 install --upgrade certificate — not in love with updating the global install but this is a pretty solid package
2. brew reinstall aws-sam-cli to remove and reinstall the virtualenv, avoiding the upgrade

This feels like the upgrade process should handle this more gracefully by installing the same versions of pip/certifi which you'd get on a fresh install but since there's a workaround the impact is relatively low.

Log of the failure

=> python3.8 -m venv --system-site-packages /opt/homebrew/Cellar/aws-sam-cli/1.76.0/libexec
==> /opt/homebrew/Cellar/aws-sam-cli/1.76.0/libexec/bin/pip install --upgrade pip
Last 15 lines from /Users/cadams/Library/Logs/Homebrew/aws-sam-cli/02.pip:
install
--upgrade
pip

Requirement already satisfied: pip in /opt/homebrew/Cellar/aws-sam-cli/1.76.0/libexec/lib/python3.8/site-packages (22.0.4)
Collecting pip
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)'))': /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)'))': /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)'))': /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)'))': /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)'))': /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))