SSL verification error with ansible-galaxy in derivation

I have the following derivation, however I can’t build it because it gives me an error.
When I disable cert verification is works as intended.
As you can see I tried with multiple env vars to provide the certificate.
I think the actual download is done with the Python library urllib.

Derivation:

{
  cacert,
  lib,
  prodEnv,
  root,
  stdenvNoCC,
}:
let
  fs = lib.fileset;
  requirementsFile = "requirements_ansible_galaxy.yml";
  requirementsFilePath = fs.toSource {
    fileset = root + "/${requirementsFile}";
    inherit root;
  };
in
stdenvNoCC.mkDerivation {
  name = "galaxy-requirements";
  src = requirementsFilePath;
  nativeBuildInputs = [ prodEnv ];
  DEFAULT_CA_BUNDLE_PATH = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  REQUESTS_CA_BUNDLE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  installPhase = ''
    mkdir -p $out/
    ANSIBLE_HOME="''$TMPDIR" ${prodEnv}/bin/ansible-galaxy collection install -r $src/${requirementsFile} -p $out
  '';
  dontFixup = true;
  outputHashAlgo = "sha256";
  outputHashMode = "recursive";
  outputHash = "";
}

Error:

ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)>. <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)>

Adding:

NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

Instead of any of these works:

  DEFAULT_CA_BUNDLE_PATH = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  REQUESTS_CA_BUNDLE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

Thanks to @Sandro for providing the solution on Mastodon.