SSL/TLS Inspection breaks python pip

Question

With SSL/TLS inspection being utilized, I'm unable to install any python packages using pip. Here is the python error: 
 Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))) - skipping 
 Usually I can just add the domain to the Local TLS Exclusion List but when I add pypi.org, I still get the error. It's not until I completely bypass or disable the SSL/TLS inspection rule that it works.

RichBaldry · Answer

The issue with python pip is that python does not use the operating system's store of trusted CAs but has its own set. 
 For pip, there is a command-line option --cert <CA file> that allows you to specify a different CA. You should be able to use this option to point pip to the CA file for the appliance. 
 Of course, the other option is to exclude the pip servers (domain pypi.org) from decryption by adding the domain to the Local Exclusions URL group.

RichBaldry · Answer

I found that if I wanted to exclude pip traffic, instead of providing the CA at the command line, there are more URLs/domains that need to be excluded. It looks like pypi.org is just the initial database queries, but actual file downloads are hosted on other domains. 
 files.pythonhosted.org is one. I don't know if this is the same for all packages, or whether it varies from one package to another. 
 I found this out by looking in the SSL/TLS log for other connections from the same client IP immediately following the initial connection to pypi.org.