diff --git a/cpython-unix/build-cpython.sh b/cpython-unix/build-cpython.sh
index a95e3adfb..e2bccf3e6 100755
--- a/cpython-unix/build-cpython.sh
+++ b/cpython-unix/build-cpython.sh
@@ -311,6 +311,11 @@ if [ "${PYTHON_MAJMIN_VERSION}" = 3.12 ] || [ "${PYTHON_MAJMIN_VERSION}" = 3.13
     patch -p1 -i ${ROOT}/patch-test-embed-prevent-segfault.patch
 fi
 
+# RHEL 8 (supported until 2029) and below, including Fedora 33 and below, do not
+# ship an /etc/ssl/cert.pem or a hashed /etc/ssl/cert/ directory. Patch to look at
+# /etc/pki/tls/cert.pem instead, if that file exists and /etc/ssl/cert.pem does not.
+patch -p1 -i ${ROOT}/patch-cpython-redhat-cert-file.patch
+
 # Cherry-pick an upstream change in Python 3.15 to build _asyncio as
 # static (which we do anyway in our own fashion) and more importantly to
 # take this into account when finding the AsyncioDebug section.
diff --git a/cpython-unix/patch-cpython-redhat-cert-file.patch b/cpython-unix/patch-cpython-redhat-cert-file.patch
new file mode 100644
index 000000000..0ed5503ba
--- /dev/null
+++ b/cpython-unix/patch-cpython-redhat-cert-file.patch
@@ -0,0 +1,24 @@
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+index 42ebb8ed384..2cf7e64e18e 100644
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -423,6 +423,7 @@ class SSLContext(_SSLContext):
+     """An SSLContext holds various SSL-related configuration options and
+     data, such as certificates and possibly a private key."""
+     _windows_cert_stores = ("CA", "ROOT")
++    _FALLBACK_CERT_FILE = "/etc/pki/tls/cert.pem"  # RHEL 8 and below, Fedora 33 and below
+ 
+     sslsocket_class = None  # SSLSocket is assigned later.
+     sslobject_class = None  # SSLObject is assigned later.
+@@ -531,6 +532,11 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
+         if sys.platform == "win32":
+             for storename in self._windows_cert_stores:
+                 self._load_windows_store_certs(storename, purpose)
++        elif sys.platform == "linux":
++            _def_paths = _ssl.get_default_verify_paths()
++            openssl_cafile = os.environ.get(_def_paths[0], _def_paths[1])
++            if not os.path.isfile(openssl_cafile) and os.path.isfile(self._FALLBACK_CERT_FILE):
++                self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
+         self.set_default_verify_paths()
+ 
+     if hasattr(_SSLContext, 'minimum_version'):