ssl - curl –cacert vs python requests verify - Stack Overflow

… it’s an intermediate CA

Having only the intermediate CA in the trust store is not sufficient for validation of the certificate, at least not with the current versions of Python. This feature would require the use of the OpenSSL flag X509_V_FLAG_PARTIAL_CHAIN for verification, which is neither currently exposed by Python nor set by default.

Contrary to this curl sets this flag by default in newer versions and thus works.