From 8dee9546ae82dbf53f8f7a22e0c916416a7c8efe Mon Sep 17 00:00:00 2001 From: lekss361 <47113017+lekss361@users.noreply.github.com> Date: Fri, 15 May 2026 14:50:21 +0300 Subject: [PATCH] fix(cadastre): NSPDBulkClient verify=False for NSPD SSL chain (#168 hotfix) (#175) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pilot run #1 failed on all 50 quarters with: NspdBulkError: [SSL: CERTIFICATE_VERIFY_FAILED] self-signed certificate in certificate chain NSPD prod chain on Beget VPS contains an internal/self-signed CA → httpx default verify=True trips. Reuse pattern from legacy app.services.scrapers.nspd_lite (uses ssl._create_unverified_context() for same reason since April 2026). Risk profile: NSPD public gov data, no sensitive payload outbound, admin token не уходит к NSPD endpoints. MITM risk minimal. Co-authored-by: lekss361 --- backend/app/scrapers/nspd_bulk_client.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/backend/app/scrapers/nspd_bulk_client.py b/backend/app/scrapers/nspd_bulk_client.py index f44dbeb7..b51ba3e3 100644 --- a/backend/app/scrapers/nspd_bulk_client.py +++ b/backend/app/scrapers/nspd_bulk_client.py @@ -114,10 +114,16 @@ class NSPDBulkClient: self._client: httpx.AsyncClient | None = None async def __aenter__(self) -> NSPDBulkClient: + # NSPD prod chain contains a self-signed/internal CA on Beget VPS → + # default verify trips CERTIFICATE_VERIFY_FAILED. Existing legacy + # client (app.services.scrapers.nspd_lite) uses unverified context + # for the same reason — reuse pattern. Risk OK: public gov data, + # no sensitive payload, X-Admin-Token не уходит к NSPD. self._client = httpx.AsyncClient( headers=self._headers, timeout=self._timeout, follow_redirects=True, + verify=False, ) return self