crazy-max
commented
5 years ago Hi,
Can you give me the output of curl -v https://api.accounts.firefox.com/.well-known/browserid ?
Closed ghost closed 5 years ago
crazy-max
commented
5 years ago Hi,
Can you give me the output of curl -v https://api.accounts.firefox.com/.well-known/browserid ?
ghost
commented
5 years ago From the host system: `curl -v https://api.accounts.firefox.com/.well-known/browserid
GET /.well-known/browserid HTTP/1.1 Host: api.accounts.firefox.com User-Agent: curl/7.65.1 Accept: /
cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.10.0 PRETTY_NAME="Alpine Linux v3.10" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"`
It occurred to me once you asked that I was previously running Ubuntu Server as my host OS, and migrated to Alpine not that long ago.
Alpine is amazingly lightweight, but it also doesn't come with like ANYTHING pre-installed out of the box. Could this be some sort of CA certs / bundle problem in the host OS? As far as I know, the exact same image & stack worked fine under Ubuntu Server.
crazy-max
commented
5 years ago Try adding this apk on your host: ca-certificates
ghost
commented
5 years ago Sorry for the delay, had a busy few days.
I installed ca-certificates and rebooted the host system, no effect on issue.
I'm going to test replicating the sync host under a VM with Ubuntu 19.04 with the same images & data. This should help isolate the issue to the host OS or something else.
I suspect this is just my install of Alpine being too minimal for its own good.
Will re-open if I can reproduce the issue more specifically.
crazy-max
commented
5 years ago Try to ask on mozilla-services/syncserver too.
ghost
commented
5 years ago For anyone who may stumble on this comment via the internet, I did isolate this issue to my host OS. On Alpine, I had to run the following to make things work: apk add py-pip python-dev libffi-dev openssl-dev gcc libc-dev make
I'm pretty sure in this case openssl-dev was key to making the handshake with the ID server work again.
This list is simply the pre-requisites for Docker-Compose on the Alpine OS. I somehow managed to not install those and so caused this issue.
I had been using this image successfully for a long time, syncing a few different client devices together without issue.
Today I found that I have no sync functionality at all. To troubleshoot this, I backed up my syncserver.db file first and then destroyed & recreated my container completely.
The sync server is responding to regular incoming web requests, I can get to the "it works" status page as expected.
Regardless of what I do, when I have a client device attempt to sync against the server, I'm getting the following output from "docker logs":
Setting timezone to America/Los_Angeles... Checking prerequisites... Generating configuration... [2019-07-24 18:53:26 +0000] [1] [INFO] Starting gunicorn 19.6.0 [2019-07-24 18:53:26 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1) [2019-07-24 18:53:26 +0000] [1] [INFO] Using worker: sync [2019-07-24 18:53:26 +0000] [13] [INFO] Booting worker with pid: 13 /usr/local/lib/python2.7/site-packages/pyramid/path.py:341: PkgResourcesDeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately. 'x=%s' % value).load(False) ERROR:tokenserver:Unexpected verification error Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/tokenserver/views.py", line 110, in _valid_browserid_assertion assertion = verifier.verify(assertion) File "/usr/local/lib/python2.7/site-packages/tokenserver/verifiers.py", line 92, in verify data = super(LocalBrowserIdVerifier, self).verify(assertion, audience) File "/usr/local/lib/python2.7/site-packages/browserid/verifiers/local.py", line 115, in verify cert = self.verify_certificate_chain(certificates, now=now) File "/usr/local/lib/python2.7/site-packages/browserid/verifiers/local.py", line 161, in verify_certificate_chain root_key = self.supportdocs.get_key(root_issuer) File "/usr/local/lib/python2.7/site-packages/browserid/supportdoc.py", line 63, in get_key supportdoc = self.get_support_document(hostname) File "/usr/local/lib/python2.7/site-packages/browserid/supportdoc.py", line 58, in get_support_document raise error ConnectionError: Failed to GET https://api.accounts.firefox.com/.well-known/browserid. Reason: HTTPSConnectionPool(host='api.accounts.firefox.com', port=443): Max retries exceeded with url: /.well-known/browserid (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f278ff45390>: Failed to establish a new connection: [Errno -3] Try again',)) [2019-07-24 18:54:50 +0000] [1] [INFO] Handling signal: term [2019-07-24 18:54:50 +0000] [13] [INFO] Worker exiting (pid: 13) [2019-07-24 18:54:50 +0000] [1] [INFO] Shutting down: MasterOn a Windows client machine, I'm getting the following in Firefox's about:sync-log:
trace: TokenServerClientServerError@tokenserverclient.js:102:16 _processTokenResponse@tokenserverclient.js:311:19 getTokenFromBrowserIDAssertion@tokenserverclient.js:248:19 1563994093038 Sync.Status DEBUG Status.login: error.login.reason.network => error.login.reason.network 1563994093038 Sync.Status DEBUG Status.service: error.login.failed => error.login.failed 1563994093038 Sync.ErrorHandler ERROR Sync encountered a login error 1563994093039 Sync.SyncScheduler DEBUG Clearing sync triggers and the global score. 1563994093042 Sync.SyncScheduler DEBUG Next sync in 3600000 ms. (why=schedule) 1563994093049 Sync.Service DEBUG Exception calling WrappedLock: Error: Login failed: error.login.reason.network(resource://services-sync/service.js:869:15) JS Stack trace: onNotify@service.js:869:15 1563994093052 Sync.Service DEBUG Not syncing: login returned false.Steps To Reproduce: -Start or create a Docker container running the image crazymax/firefox-syncserver:latest -Have any Firefox client device attempt to sync against the server hosted in that container.
I am currently deploying via Docker Compose. I'm confident the other elements in my stack are working as expected. I am able to use other services hosted on the same system without issue and, like I said, I can hit the container's web interface.
I honestly can't tell if this is simply a service outtage of some kind, an undocumented change on the part of Mozilla, or what. I can't seem to find any public sites giving status updates on Mozilla's hosted services.
Is this just me?