Re: FXA full-stack self-hosting: "bad mac" error at verification

Tue, 21 Apr 2015 22:20:49 -0700 

On 22/04/2015 08:11, Robin Bankhead wrote:
> 
> However, it now looks like syncserver is not happy: it's throwing a 503
> on the first post-verification connection attempt.  This is true whether
> behind Apache, or running directly (as in the below output).
> 
> hazel syncserver # make serve
> ./local/bin/pserve ./syncserver.ini
> /usr/local/src/syncserver/local/lib/python2.7/site-packages/tokenserver/verifiers.py:47:
> FutureWarning: The BrowserID certificate format has not been finalized
> and may change in backwards-incompatible ways.  If you find that the
> latest version of this module cannot verify a valid BrowserID assertion,
> please contact the author.
>   super(LocalVerifier, self).__init__(**kwargs)
> Starting server in PID 6098.
> serving on 0.0.0.0:5000 view at http://127.0.0.1:5000
> INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS
> connection (1): fxa.example.com
> INFO:mozsvc.metrics:{"code": 503, "request_time": 0.04334402084350586,
> "remoteAddressChain": ["192.168.2.7"], "agent": "Mozilla/5.0 (X11; Linux
> x86_64; rv:37.0) Gecko/20100101 Firefox/37.0",
> "token.assertion.connection_error": 1, "token.assertion.verify_failure":
> 1, "tokenserver.assertion.verify": 0.03910994529724121, "path":
> "http://fxa.example.com:5000/token/1.0/sync/1.5";, "method": "GET"}


This is almost certainly an issue with the syncserver trying to talk to
the fxa-auth-server, but failing.

In our production deployment, these two things are separate systems and
there's a bit of public-key crypto that ties them together.  To
authenticate to sync, the flow is as follows:

  * browser logs in to fxa-auth-server and gets a signed certificate
  * browser creates an "assertion" using the signed certificate and
    submits it to syncsever
  * syncserver loads the public key from fxa-auth-server and uses it
    to verify the assertion.

That last step seems to be failing.  The syncserver needs to be able to
make a https request out to the configured publicUrl of your
fxa-auth-server, requesting your local equivalent of this file:

  https://api.accounts.firefox.com/.well-known/browserid

Can you confirm whether this file is available on your setup?


  Cheers,

    Ryan
_______________________________________________
Sync-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/sync-dev

Reply via email to