595072 - Sync doesn't accept custom HTTPS servers with self-signed certs

Status: RESOLVED FIXED

(Cloud Services Graveyard :: Server: Sync, defect)

Description

[Markus Fischer]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5) Gecko/20100101 Firefox/4.0b5
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5) Gecko/20100101 Firefox/4.0b5

I'm using an URL in the form of https://$FQDN/weave/ but the sync dialog always states "Please enter a valid server URL". Ultimately I can't use this service.

The URL I'm using has a public DNS entry and is using a self-signed certificate (which is valid until 2017) and is protected by HTTP basic auth. The whole length of the URL is 41 characters (in case that matters).

I can access the URL in FF itself without problems (I get the usual "Do you understand the risks.. blabla" page because I'm using my own certificate).

I've set up the minimal weave server there according to the guide at http://tobyelliott.wordpress.com/2009/09/11/weave-minimal-server/ ; even at the blog this comment also mentions the problem: http://tobyelliott.wordpress.com/2009/09/11/weave-minimal-server/#comment-564

Reproducible: Always

Steps to Reproduce:
1. Go to Tool / Set Up Sync...
2. Choose "I've never used sync before"
3. In "Connect to" choose "Use a custom server"
4. Enter the URL https://$FQDN/weave/ (e.g. https://www.google.com/ just as an example)
Actual Results:  
An inline error message shows up "Please enter a valid server URL"

Expected Results:  
No error message should be shown.

Comment 1

[Philipp von Weitershausen [:philikon]]

(In reply to comment #0)
> The URL I'm using has a public DNS entry and is using a self-signed certificate

Did you accept this certificate into your profile by clicking on the "Add Exception..." and then the "Confirm Security Exception" buttons? If not, try that. It should work.

So in essence, Sync should work just fine with HTTPS urls, but it will fail on unrecognized certs. Importing the cert should fix the problem. Perhaps the setup wizard UI could be a bit more helpful about this...

Comment 2

[Markus Fischer]

I thought about that too, and yes, I did import it (but only after I encountered the problem).

But when I enter https://www.google.com/ I get the same "Please enter a valid server URL". That makes me think if it's really the HTTPS which has the problem or something else. Your comment indicates to me that there are some background checks going, so is it possible that various checks always produce this same "Please enter a valid..." error message and the real error is hidden?

*Short pause looking into my apache logs*

Ok, I didn't realize that the dialog is already smart by accessing the URL and checking things. I saw that this in my access log:

"GET /weave/user/1.0/a HTTP/1.1" 404

Calling this URL indeed gives my a "Function not found" response from the minimal weave server.

When I just continue entering my User Name I get a second error message below the user name "Already in use". However it doesn't matter which name I provide I always get this.

So, is this more of a minimal weave server problem then? I'm unsure what's really expected here.

Comment 3

[Philipp von Weitershausen [:philikon]]

The minimal weave server doesn't support the user signup API. Instead you need to create a user account on the server using the provided script and then choose "I'm already using Sync on another computer" (or "I already have a Sync account" in nightlies). I'm pretty sure this is described in the docs as well.

Comment 4

[Markus Fischer]

The only docs in the minimal web server is a README which has this about the client setup:

--------------8<-----------------
CLIENT SETUP

in about.config, set extensions.weave.serverURL to https://<your servername>/weave/

You can run it under http, but this is insecure and not recommended.
--------------8<-----------------

So there was no indication to me that I can't use the user signup API. It is clear now and I guess this bug can be closed.

Comment 5

[Philipp von Weitershausen [:philikon]]

Ugh, yeah, looks like I was wrong. I thought this was documented. CCing Toby to let him know about this.

Anyway, I think the bug is still invalid in the sense that we could do better in terms of the UI. Ideally the setup wizard would point the user to the same "Add Security Exception" dialog as the browser does...

Comment 6

[Philipp von Weitershausen [:philikon]]

(In reply to comment #5)
> Anyway, I think the bug is still invalid

Of course I meant *valid*.

Comment 7

[Markus Fischer]

Mind that in my case the problem wasn't the security certificate, but likely that I didn't properly set up a user.

However... when I reconsider the steps:

1. I entered the URL
2. I received the error message (I did *not yet* enter a username
3. the request logged on the server was: "GET /weave/user/1.0/a HTTP/1.1" 404

As I said in that case I didn't enter a username, so I didn't enter "a" for it. Maybe it's some kind of probe for the dialog? Is the web server supposed to understand this (special username "a" for probing)? Because if not, then in general that would almost always lead to a that error message and could be confusing.

Comment 8

[Philipp von Weitershausen [:philikon]]

The setup wizard queries the server whether the username "a" is taken or not. It  interprets either answer (yes or no) as the server being valid (= it implements the sign up API) and an HTTP error as it being invalid. It's not super brilliant but it works ;)

Comment 9

[Toby Elliott [:telliott]]

Ah, I see. We say "You can create and delete users by running the create_user script from the command line.", but don't actually point out that you can't do it through the client. I'll add something there.

Comment 10

[Richard Newman [:rnewman]]

Not a UI bug. Throwing this over to the server chaps to close out.

Comment 11

[Toby Elliott [:telliott]]

Added the explicit note to the README that you can't create users from the client, so I think all issues here have been resolved.