fix(tradein): skip TLS verify for sberindex.ru pull — server omits LE intermediate (#922) #924

Merged
lekss361 merged 1 commit from fix/922-sber-tls-verify into main 2026-05-31 19:34:24 +00:00
Owner

Closes #922.

Problem

sber_index_pull fails on the prod scheduler with [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate. Diagnosed live (prod box + locally):

  • sberindex.ru cert = Let's Encrypt R13 → ISRG Root X1 (not a Russian CA — the initial QA guess was wrong).
  • Server sends only the leaf cert (1 cert), omitting the R13 intermediate → openssl s_client verify code 21 (unable to verify the first certificate), fails even against the full system trust store. Server-side misconfiguration outside our control.

Fix

verify=False on the single httpx.AsyncClient in pull_sber_indices (with an explanatory comment). Rationale:

  • Public, unauthenticated, non-sensitive open-data endpoint.
  • Robust against Let's Encrypt intermediate rotation (R10–R14+) — pinning an intermediate would break on each renewal.
  • Proven working: QA manual run with verify=False{upserted: 621, skipped: 0, errors: 0}, all 9 series populated, values match baseline.

Note: ruff select has no S (bandit) rules, so verify=False is not flagged and no # noqa is added (would trip RUF100). Only the data-pull client is affected; nothing else calls sberindex.

Verify after merge+deploy

Set next_run_at = now() on scrape_schedules source='sber_index_pull' (or wait for the tick) → confirm scrape_runs shows errors=0 and sber_price_index refreshes via the scheduler (not just the manual seed).

🤖 Generated with Claude Code

Closes #922. ## Problem `sber_index_pull` fails on the prod scheduler with `[SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate`. Diagnosed live (prod box + locally): - sberindex.ru cert = **Let's Encrypt R13 → ISRG Root X1** (not a Russian CA — the initial QA guess was wrong). - Server sends **only the leaf cert (1 cert)**, omitting the R13 intermediate → `openssl s_client` verify code **21 (unable to verify the first certificate)**, fails even against the full system trust store. Server-side misconfiguration outside our control. ## Fix `verify=False` on the single `httpx.AsyncClient` in `pull_sber_indices` (with an explanatory comment). Rationale: - Public, unauthenticated, non-sensitive **open-data** endpoint. - Robust against Let's Encrypt intermediate rotation (R10–R14+) — pinning an intermediate would break on each renewal. - Proven working: QA manual run with `verify=False` → `{upserted: 621, skipped: 0, errors: 0}`, all 9 series populated, values match baseline. Note: ruff `select` has no `S` (bandit) rules, so `verify=False` is not flagged and no `# noqa` is added (would trip RUF100). Only the data-pull client is affected; nothing else calls sberindex. ## Verify after merge+deploy Set `next_run_at = now()` on `scrape_schedules` source='sber_index_pull' (or wait for the tick) → confirm `scrape_runs` shows `errors=0` and `sber_price_index` refreshes via the scheduler (not just the manual seed). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
lekss361 added 1 commit 2026-05-31 19:34:00 +00:00
lekss361 added the
status/review
label 2026-05-31 19:34:06 +00:00
lekss361 merged commit a5457af716 into main 2026-05-31 19:34:24 +00:00
lekss361 deleted branch fix/922-sber-tls-verify 2026-05-31 19:34:24 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lekss361/gendesign#924
No description provided.