On 22/04/2015 19:58, Robin Bankhead wrote: > Quoting Ryan Kelly <[email protected]>: >> On 22/04/2015 08:11, Robin Bankhead wrote: >>> >>> However, it now looks like syncserver is not happy: it's throwing a 503 >>> on the first post-verification connection attempt. This is true whether >>> behind Apache, or running directly (as in the below output). >>> >>> hazel syncserver # make serve >>> ./local/bin/pserve ./syncserver.ini >>> /usr/local/src/syncserver/local/lib/python2.7/site-packages/tokenserver/verifiers.py:47: >>> >>> FutureWarning: The BrowserID certificate format has not been finalized >>> and may change in backwards-incompatible ways. If you find that the >>> latest version of this module cannot verify a valid BrowserID assertion, >>> please contact the author. >>> super(LocalVerifier, self).__init__(**kwargs) >>> Starting server in PID 6098. >>> serving on 0.0.0.0:5000 view at http://127.0.0.1:5000 >>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS >>> connection (1): fxa.example.com >>> INFO:mozsvc.metrics:{"code": 503, "request_time": 0.04334402084350586, >>> "remoteAddressChain": ["192.168.2.7"], "agent": "Mozilla/5.0 (X11; Linux >>> x86_64; rv:37.0) Gecko/20100101 Firefox/37.0", >>> "token.assertion.connection_error": 1, "token.assertion.verify_failure": >>> 1, "tokenserver.assertion.verify": 0.03910994529724121, "path": >>> "http://fxa.example.com:5000/token/1.0/sync/1.5";, "method": "GET"} >> >> >> This is almost certainly an issue with the syncserver trying to talk to >> the fxa-auth-server, but failing. >> > And I bet I know what's wrong now: I've been using a self-signed cert > for all the servers (the same one, in fact). It's for example.com, no > wildcard to explicitly cover the subdomain fxa.example.com, so I'm > guessing that syncserver is not satisfied with that. > > I can make a wildcard cert (or one specific to fxa.example.com) but will > even that work if it's still self-signed? Can I import my own CA cert > into syncserver somehow?
It's possible but a bit fiddly. The simplest path may be to obtain a properly-signed certificate. If only https://letsencrypt.org/ were ready to go... In my build of the syncserver I have the following files: local/lib/python2.7/site-packages/requests/cacert.pem local/lib/python2.7/site-packages/requests/certs.py You may be able to patch one or both of these to include your own CA cert. Cheers, Ryan _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
