Launchpad.net uses a CA authority that a SSL library in one particular Python module doesnt know about. This is several bugs at once. Launchpad trying to be "special" with CAs, bzr having two completely different Python HTTP client libraries, and being inconsistant about checking SSL host keys.
But, until they quit fingerpointing and get it fixed, here is a good workaround, until they get it fixed. Run the following command:
curl -NO http://curl.haxx.se/ca/cacert.pem >~/cacert.pem
Now the Python SSL HTTP library in bzr will use that set of CAs instead of the system one, and it will quietly and correctly Just Work