Snap does not use private/self-signed CAs from the system

You are unable to connect to a mirror source which uses a private/self-signed CA which is installed into the system SSL certificate store (/usr/local/share/ca-certificates)

= Reproducer =
To test this, setup nginx on Ubuntu and modify /etc/nginx/sites-enable/default as follows:

Inside the server {} section, add the following to the existing contents (you can keep the port 80 listeners)

listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/private/nginx.key;
location /images.maas.io/ {
  proxy_pass https://images.maas.io/;
  proxy_buffering on;
  proxy_cache STATIC;
  proxy_cache_valid 200 1d;
  proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
}

Add this below outside the server {} section:
proxy_cache_path /srv/nginx/cache levels=1:2 keys_zone=STATIC:10m max_size=32g inactive=60d;

Create a self-signed certificate as follows:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx.key -out /etc/ssl/certs/nginx.crt

You must enter a resolvable hostname to this machine for the "Common Name (e.g. server FQDN or YOUR name)" (an IP might work, though I didn't try it).

Then run:
sudo cp /etc/ssl/certs/nginx.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
systemctl restart nginx

Then a simple test before/after using:
simplestreams.sstream-query https://NGINX_HOSTNAME/images.maas.io/ephemeral-v3/stable/

Error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='NGINX_HOSTNAME', port=443): Max retries exceeded with url: /x/streams/v1/index.sjson (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)')))