The requests library defaults to using the certificates from the
certifi library when not otherwise specified. If I understand the
discussion at #8247 correctly, we should instead patch it so that it
follows the following priority order:
1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE
2. /etc/ssl/certs/ca-certificates.crt
3. whatever it was doing before (in this case, using certifi)
This commit implements that.
11f7c3310f