The reason for the rejection is right there in the exception message: the certificate has expired.
That’s not correct though. Or incomplete: Which certificate? Maybe (one of) the intermediate certificates was.
Do you have to use Python to inspect the certificate?
Python is the only software that has a problem with the certificate. So it would be nice to confirm which one Python “sees”.
Do you have a concrete suggestion for how this could be improved?
Maybe improve / fix the error message? (See also this discussion?)
Maybe allow access to the certificate if verification fails, maybe via an exception attribute?
Maybe allow access to the certificate if verification is disabled? (getpeercert() returns {}.)
Maybe allow logging more useful information or registering a callback to inspect the certificate?
(And inspecting the relevant chain.)
Maybe look at Mercurial’s debugssl command?