diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index e6db70ff5c7..253f319c136 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -691,6 +691,18 @@ def _is_ipv6_enabled():
 
 IPV6_ENABLED = _is_ipv6_enabled()
 
+def system_must_validate_cert(f):
+    """Skip the test on TLS certificate validation failures."""
+    @functools.wraps(f)
+    def dec(*args, **kwargs):
+        try:
+            f(*args, **kwargs)
+        except IOError as e:
+            if e.reason == "CERTIFICATE_VERIFY_FAILED":
+                raise unittest.SkipTest("system does not contain "
+                                        "necessary certificates")
+            raise
+    return dec
 
 # A constant likely larger than the underlying OS pipe buffer size, to
 # make writes blocking.
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index d259fb28533..3b57d09e57b 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -794,6 +794,7 @@ class HTTPSTest(TestCase):
             resp = h.getresponse()
             self.assertIn('nginx', resp.getheader('server'))
 
+    @support.system_must_validate_cert
     def test_networked_trusted_by_default_cert(self):
         # Default settings: requires a valid cert from a trusted CA
         support.requires('network')