Loading cadata in PEM format results in a nested asn1 error. Workaround is to convert cadata to unicode.

Minimum code for reproducing the issue:
>>>import ssl
>>> with open('ca.crt') as f:
...     ca_crt = f.read()
...
>>> c = ssl.create_default_context()
>>> c.load_verify_locations(cadata=ca_crt)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ssl.SSLError: nested asn1 error (_ssl.c:2902)

With workaround to make it work:
>>>import ssl
>>> with open('ca.crt') as f:
...     ca_crt = f.read()
...
>>> c = ssl.create_default_context()
>>> c.load_verify_locations(cadata=unicode(ca_crt))

The issue is annoying as the documentation explicitly states cadata to be "either an ASCII string of one or more PEM-encoded certificates...". Furthermore the unicode function is not present in Python 3.x, making the workaround version-dependent.

The documentation refers to ASCII string as Python 3-style ASCII text object. In Python 2, that's the unicode data type. The feature was backported from Python 3. I guess the documentation was directly taken from Python 3's documentation and not updated to reflect Python 2's quirky str type.

You can use the io module to get the proper text type on Python 2 and 3.

import io
with io.open('ca.crt') as f:
    ca_crt = f.read()

Thanks a lot for the quick answer! Verified that the proposed solution works with PEM certificates in both Python 2 and 3.