I also had a similar situation, a customer upgraded to 10.0.8 and then all of the downloads stuck on the status “Pending Downloads” and then indicated an error with self-signed certificate.
The root server was configured with Proxy
For testing, I’ve took the same proxy settings and configured it into the Browser and pasted the URL for Download - The Root Certificate has been replaced with a Self-signed certificate of the Proxy - They enabled SSL Inspection
At first, I thought to set the _BESRelay_Download_CACertPath on the Root Server to a custom CA Bundle that will include the Root Certificate of the Proxy - BUT - then the system administrator will need to make manual job of updating the custom CA bundle with new CA bundle that is gathered in the BES Support site and add the self-signed Root certificate of the Proxy - of course, this could also be automated
I’ve ditched that idea and used _BESRelay_Download_UntrustedSites = 1 to return the previous way of downloading content.
If it was possible to use the new method of validating with the updated CA bundle in the BES Support site and allow a fallback CA Bundle that will include a custom Root CA that the system administrator will update - that could help