The bundled Python's openssl has a hardcoded cafile path from the build
environment (/var/lib/gitea-runner/.cache/...) which does not exist on
the target system. This causes SSL certificate verification to fail for
internal services like silo.kindred.internal that use the FreeIPA CA.
Set SSL_CERT_FILE to the system CA bundle (/etc/ssl/certs/ca-certificates.crt
on Debian/Ubuntu or /etc/pki/tls/certs/ca-bundle.crt on RHEL) in both
the kindred-create and kindred-create-cmd wrapper scripts. This allows
the bundled Python to verify certificates signed by any CA in the
system trust store, including the FreeIPA CA.
6facd8227b