Quoting Ryan Kelly <[email protected]>:
On 22/04/2015 19:58, Robin Bankhead wrote:
Quoting Ryan Kelly <[email protected]>:
On 22/04/2015 08:11, Robin Bankhead wrote:
FutureWarning: The BrowserID certificate format has not been finalized
and may change in backwards-incompatible ways. If you find that the
latest version of this module cannot verify a valid BrowserID assertion,
please contact the author.
super(LocalVerifier, self).__init__(**kwargs)
Starting server in PID 6098.
serving on 0.0.0.0:5000 view at http://127.0.0.1:5000
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS
connection (1): fxa.example.com
INFO:mozsvc.metrics:{"code": 503, "request_time": 0.04334402084350586,
"remoteAddressChain": ["192.168.2.7"], "agent": "Mozilla/5.0 (X11; Linux
x86_64; rv:37.0) Gecko/20100101 Firefox/37.0",
"token.assertion.connection_error": 1, "token.assertion.verify_failure":
1, "tokenserver.assertion.verify": 0.03910994529724121, "path":
"http://fxa.example.com:5000/token/1.0/sync/1.5";, "method": "GET"}
This is almost certainly an issue with the syncserver trying to talk to
the fxa-auth-server, but failing.
And I bet I know what's wrong now: I've been using a self-signed cert
for all the servers (the same one, in fact). It's for example.com, no
wildcard to explicitly cover the subdomain fxa.example.com, so I'm
guessing that syncserver is not satisfied with that.
I can make a wildcard cert (or one specific to fxa.example.com) but will
even that work if it's still self-signed? Can I import my own CA cert
into syncserver somehow?
It's possible but a bit fiddly. The simplest path may be to obtain a
properly-signed certificate. If only https://letsencrypt.org/ were
ready to go...
In my build of the syncserver I have the following files:
local/lib/python2.7/site-packages/requests/cacert.pem
local/lib/python2.7/site-packages/requests/certs.py
You may be able to patch one or both of these to include your own CA cert.
I hope it's not a matter of getting a proper cert; I have more trust
in my own CA than any of today's root[ed] "authorities" :(
However it looks like it won't be necessary: I did some digging last
night and hit paydirt.
I spotted somewhere that someone had added a key "ssl_certificate" to
their syncserver.ini, grepped for this in the source and found this:
# The default verifier from browserid
class LocalVerifier(LocalVerifier_):
implements(IBrowserIdVerifier)
def __init__(self, **kwargs):
""":param ssl_certificate: The path to an optional ssl certificate to
use when doing SSL requests with the BrowserID server.
Set it to True (the default) to use default certificate authorities.
Set to false to disable SSL verification.
"""
if 'ssl_certificate' in kwargs:
verify=kwargs["ssl_certificate"]
kwargs.pop("ssl_certificate")
if verify == False:
_emit_warning()
else:
verify=None
kwargs['supportdocs'] = SupportDocumentManager(verify=verify)
super(LocalVerifier, self).__init__(**kwargs)
def _emit_warning():
"""Emit a scary warning so users will use a path to private cert
instead."""
msg = "browserid.ssl_certificate=False disables server's
certificate validation and poses "\
"a security risk. "\
"You should pass the path to your self-signed
certificate(s) instead. "\
"For more information on the ssl_certificate parameter, see "\
"http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification";
warnings.warn(msg, RuntimeWarning, stacklevel=2)
Well, I can live with a scary warning, so I added "ssl_certificate =
False", and all is copacetic! [So far...]
I'm assuming they mean a self-signed CA cert in the warning text: I
briefly tried with the path to my server cert, and that didn't work
(although I might have gotten the relative path wrong). I'll try that
too when time allows, although honestly I can't see much cause for
concern in simply not using SSL for a local transaction like this.
Anyway, it looks like I'm in business. Thanks so much for helping me
along, this has been pretty gruelling (for the likes of me) but you've
shortened the process greatly.
Best,
Robin Bankhead
_______________________________________________
Sync-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/sync-dev
