Similar to curl and the OpenStack CLIs, bkr should have an option --insecure which will skip validity checks for the server SSL certificate. In particular this will make it possible to use bkr on Beaker-provisioned systems to talk to a Beaker server which is using an SSL cert issued by a private CA, like in our environment. For background see https://gerrit.beaker-project.org/4934
http://gerrit.beaker-project.org/4982
I also made a config option for this, SSL_VERIFY defaulting to True. When set to False it tells requests to skip SSL cert checks (xmlrpclib already does no SSL cert checks...). The --insecure option is equivalent to setting SSL_VERIFY=False.
This bug fix is included in beaker-client-23.1-0.git.3.f9ce229 which is currently available for download here: https://beaker-project.org/nightlies/release-23/
Beaker 23.1 has been released.