search

mozilla-services / syncserver

Run-Your-Own Firefox Sync Server
Mozilla Public License 2.0
1.86k stars 142 forks source link

cacert.pem is missing for requests #249

Open DigNative opened 3 years ago

DigNative commented 3 years ago

I am observing the following issue when using the Firefox Sync Server (bfbc3abd36ee4db70df13a9c43f7758a1528c965):

mod_wsgi (pid=31619): Target WSGI script '/srv/software/mozilla-syncserver/syncserver.wsgi' cannot be loaded as Python module.
mod_wsgi (pid=31619): Exception occurred processing WSGI script '/srv/software/mozilla-syncserver/syncserver.wsgi'.
Traceback (most recent call last):
  File "/srv/software/mozilla-syncserver/syncserver.wsgi", line 43, in <module>
    application = loadapp('config:%s'% ini_file)
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 247, in loadapp
    ############################################################
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 272, in loadobj
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 710, in create
    self.loader = loader
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 146, in invoke
    if context.protocol in ('paste.composit_factory',
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/paste/deploy/util.py", line 55, in fix_call
    val = callable(*args, **kw)
  File "/srv/software/mozilla-syncserver/syncserver/__init__.py", line 281, in main
    config = get_configurator(global_config, **settings)
  File "/srv/software/mozilla-syncserver/syncserver/__init__.py", line 273, in get_configurator
    config.include(includeme)
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/pyramid/config/__init__.py", line 754, in include
    configurator.includepath = self.includepath + (spec,)
  File "/srv/software/mozilla-syncserver/syncserver/__init__.py", line 66, in includeme
    r = requests.get(urljoin(idp, '/.well-known/fxa-client-configuration'))
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/api.py", line 70, in get
    :return: :class:`Response <Response>` object
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/api.py", line 56, in request
    # By using the 'with' statement we are sure the session is closed, thus we
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    :param stream: (optional) whether to immediately download the response
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    """Send a given PreparedRequest.
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/adapters.py", line 423, in send
    try:
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 600, in urlopen
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 844, in _validate_conn
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 326, in connect
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py", line 308, in ssl_wrap_socket
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 411, in load_verify_locations
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 775, in load_verify_locations
  File "/srv/software/mozilla-syncserver/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
Error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]

It seems like the cacert.pem for the requests module is missing. I tried to copy over the cacert.pem to be found in ./local/lib/python2.7/site-packages/certifi/cacert.pem to ./local/lib/python2.7/site-packages/requests/cacert.pem, which seems to fix the issue in a quick and dirty way (I am not sure of any possible side effects).

jrconlin commented 3 years ago

"CAcerts" (or Certificate Authority Certificates. I didn't come up with the name.) are usually generated by which ever Certificate Authority validates your TLS. If you use self-signed certificates, you can generate them yourself. Or you can use a service like LetsEncrypt to get a free TLS certificate for a given server. Using random cacerts.pem is probably not a very good idea.

I don't know how you're currently configured. Normally the sync server isn't handling TLS connections directly. (Python doesn't really do a very good job of being efficient with TLS connections, so we usually recommend running something like Apache or Nginx as a "front end" to handle the secure connection, then hand off to the SyncServer internally.)

If you want to use TLS, you'll still have to configure that yourself, however it will be far easier to use automated tooling.