Python2.7 SSL：CERTIFICATE_VERIFY_FAILED，带有有效的.pem文件

Question

冰壶

$ curl https://10.0.0.2
$ curl: (60) Peer certificate cannot be authenticated with known CA certificates

尝试使用证书卷曲

$ curl -E /opt/software/lib/python2.7/site-packages/certifi-2017.11.5-py2.7.egg/certifi/cacert.pem https://10.0.0.2

这很有效。所以它看起来有一个有效的.pem文件。现在尝试使用相同的.pem文件的python脚本

test_bb.py

#!/opt/software/bin/python2.7
import ssl
import urllib2
import certifi

BB_URL = "https://10.0.0.2"
mycafile = certifi.where()
print "pem: %s" % mycafile
urllib2.urlopen(BB_URL, cafile=mycafile)

输出

$ ./test_bb.py 
pem: /opt/software/lib/python2.7/site-packages/certifi-2017.11.5-py2.7.egg/certifi/cacert.pem
Traceback (most recent call last):
  File "./test_bb.py", line 14, in <module>
    urllib2.urlopen(BB_URL, cafile=mycafile)
  File "/opt/software/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/software/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/opt/software/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/opt/software/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/opt/software/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/opt/software/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

当curl使用相同的.pem文件时，为什么会抛出SSL：CERTIFICATE_VERIFY_FAILED for python？

如何修复python脚本以便它不会抛出错误？