diff --git a/CHANGES/3036.bugfix b/CHANGES/3036.bugfix
new file mode 100644
index 0000000000..c16f7f6ace
--- /dev/null
+++ b/CHANGES/3036.bugfix
@@ -0,0 +1 @@
+Taught downloader to trust system-cert-store on HTTPS proxy connections.
diff --git a/pulpcore/download/factory.py b/pulpcore/download/factory.py
index 0bd71391ea..bec8759f53 100644
--- a/pulpcore/download/factory.py
+++ b/pulpcore/download/factory.py
@@ -120,6 +120,8 @@ def _make_aiohttp_session_from_remote(self):
             sslcontext.verify_mode = ssl.CERT_NONE
         if sslcontext:
             tcp_conn_opts["ssl_context"] = sslcontext
+            # Trust the system-known CA certs, not just the end-remote CA
+            sslcontext.load_default_certs()
 
         headers = MultiDict({"User-Agent": DownloaderFactory.user_agent()})
         if self._remote.headers is not None: