fix(downloader): use certifi CA bundle as SSL fallback and log SSL error diagnostics

- Prefer certifi's CA bundle in aiohttp SSL context with graceful
  fallback to system default when certifi is unavailable
- Add is_ssl_cert_verify_error() helper for SSL cert failure detection
- Log actionable error message (pip install --upgrade certifi /
  pip install pip-system-certs) when SSL certificate verification fails
- Apply same diagnostic logging to aria2 redirect resolution path

py/services/aria2_downloader.py

@@ -14,7 +14,7 @@ from typing import Any, Dict, Optional, Tuple
 
 import aiohttp
 
-from .downloader import DownloadProgress, get_downloader
+from .downloader import DownloadProgress, get_downloader, is_ssl_cert_verify_error
 from .aria2_transfer_state import Aria2TransferStateStore
 from .settings_manager import get_settings_manager
 
@@ -391,6 +391,15 @@ class Aria2Downloader:
                     f"Failed to resolve authenticated Civitai redirect: status={response.status} body={body[:300]}"
                 )
         except aiohttp.ClientError as exc:
+            if is_ssl_cert_verify_error(exc):
+                logger.error(
+                    "SSL certificate verification failed during Civitai redirect "
+                    "resolution for %s. This is usually caused by an outdated CA "
+                    "certificate bundle. Recommended fixes:\n"
+                    "  1. pip install --upgrade certifi\n"
+                    "  2. pip install pip-system-certs",
+                    url,
+                )
             raise Aria2Error(
                 f"Failed to resolve authenticated Civitai redirect: {exc}"
             ) from exc