bug(backend): WebSocket connections fail with SSL CERTIFICATE_VERIFY_FAILED — self-signed cert not trusted

[mrveiss]

Bug

/var/log/autobot/backend-error.log logs continuously (every few seconds):

Unexpected WebSocket error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)

Root Cause

Backend is attempting WebSocket connections to a service using a self-signed TLS certificate. Python's SSL context rejects it because the cert is not in the trusted CA store. No backoff — the reconnect loop floods the log.

Impact

MEDIUM — Any feature relying on these WebSocket connections silently fails. Log noise makes other errors hard to spot.

Fix

1. Add the self-signed cert to the system trust store (update-ca-certificates) — preferred for internal services
2. Or pass ssl=ssl.create_default_context(cafile='/path/to/cert.pem') to the WebSocket connect call
3. Add exponential backoff to the reconnect loop to prevent log flooding

[mrveiss]

✅ Closed — fix merged in PR #4728

Commit: 5db7720a7 fix(backend): trust self-signed CA cert for internal WebSocket connections (#4664)

Acceptance Criteria Met:

• ✅ 4-level SSL trust hierarchy in _create_permissive_ssl_context(): explicit CA path → skip-verify flag → project CA fallback → system trust store
• ✅ certs/ca/ca-cert.pem project CA loaded as fallback — fixes production log flooding from SSL errors on reconnect
• ✅ AUTOBOT_SKIP_TLS_VERIFY opt-in only — TLS verification on by default
• ✅ 11/11 new tests passed (SSL hierarchy × 6, exponential backoff × 5)