From ca0943689dd438f5427878d88ea63b1cc52cee4b Mon Sep 17 00:00:00 2001 From: bot-backend Date: Sun, 31 May 2026 22:33:42 +0300 Subject: [PATCH] =?UTF-8?q?fix(tradein):=20skip=20TLS=20verify=20for=20sbe?= =?UTF-8?q?rindex.ru=20pull=20=E2=80=94=20server=20omits=20LE=20intermedia?= =?UTF-8?q?te=20(#922)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tradein-mvp/backend/app/services/sber_index.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tradein-mvp/backend/app/services/sber_index.py b/tradein-mvp/backend/app/services/sber_index.py index 3554a0a7..64f9bd57 100644 --- a/tradein-mvp/backend/app/services/sber_index.py +++ b/tradein-mvp/backend/app/services/sber_index.py @@ -307,7 +307,14 @@ async def pull_sber_indices( counters: dict[str, int] = {"upserted": 0, "skipped": 0, "errors": 0} - async with httpx.AsyncClient(timeout=SBER_HTTP_TIMEOUT) as client: + # #922: sberindex.ru serves an INCOMPLETE TLS chain — it sends only the leaf + # certificate and omits the Let's Encrypt intermediate (R13), so cert + # verification fails with "unable to get local issuer certificate" (verify + # code 21) even against a full system/certifi trust store. This is a + # server-side misconfiguration outside our control. The endpoint is public, + # unauthenticated, non-sensitive open data, so we skip TLS verification here + # rather than pin a Let's Encrypt intermediate that rotates (R10–R14+). + async with httpx.AsyncClient(timeout=SBER_HTTP_TIMEOUT, verify=False) as client: for ref_area, _city_hint in cities.items(): for dashboard in dashboards: try: