couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sinan Gabel <sinan.ga...@gmail.com>
Subject Re: CouchDB SSL Problems
Date Thu, 13 Nov 2014 08:06:59 GMT
Hi!

A non-answer:

For me it works on Ubuntu 13.04 (towards all main browsers) as described
in:
http://docs.couchdb.org/en/latest/config/http.html#secure-socket-level-options


However when I switch to Ubuntu 14.04 I can't get it to work, so on Ubuntu
14.04 I have actually set up an nginx load balancer to handle SSL instead
(as I needed the load balancer anyway).

Br, Sinan

On 13 November 2014 01:54, Paul Okstad <pokstad@gmail.com> wrote:

> I would really appreciate any help from anyone with experience configuring
> CouchDB with SSL.
>
> I wrote a detailed write up on the wiki describing the process I used to
> create my keys and certs and configure CouchDB to use them:
>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
> <https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
> >
>
> This problem originally occurred with certs I had signed by RapidSSL. I
> then tried signed certs from the free Comodo service detailed in the wiki.
> Both companies had the same issue in Firefox and Chrome.
>
> At the bottom of the wiki page is a listing of the errors I get. Here’s
> what’s happening:
>
> 1. HTTPS works fine in Safari on OS X and iOS
> 2. SSLShopper.com <http://sslshopper.com/> SSL checker tool indicates my
> domain is fine:
> https://www.sslshopper.com/ssl-checker.html#hostname=api.hardcodedstudios.com:6984
> <
> https://www.sslshopper.com/ssl-checker.html#hostname=api.hardcodedstudios.com:6984
> >
> 3. Does NOT work in Firefox (latest)
> 4. Does NOT work in Chrome (latest)
> 5. Couchbase Lite for iOS throws errors when using the HTTPS connection
> for replication:
>
> Replication: CBL_Puller[https://username:*****@
> api.hardcodedstudios.com:6984/u_username] took 0.744 sec; error=Error
> Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure
> connection to the server cannot be made." UserInfo=0x7a9825c0
> {NSLocalizedDescription=An SSL error has occurred and a secure connection
> to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like
> to connect to the server anyway?, _kCFStreamErrorCodeKey=-9800,
> NSErrorFailingURLStringKey=https://username:*****@
> api.hardcodedstudios.com:6984/u_username/_local/f0f04e52a0ace2008a4c30767a46d2a52502c9d1,
> _kCFStreamErrorDomainKey=3,
> NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7a880180>,
> NSUnderlyingError=0x7a838740 "An SSL error has occurred and a secure
> connection to the server cannot be made.",
> NSErrorFailingURLKey=https://username:*****@
> api.hardcodedstudios.com:6984/u_username/_local/f0f04e52a0ace2008a4c30767a46d2a52502c9d1
> })
>
> 6. Curl on OS X reports the following issue:
>
> $ curl https://api.hardcodedstudios.com:6984
> curl: (35) Unknown SSL protocol error in connection to
> api.hardcodedstudios.com:-9800
>
> BUT, on Linux it returns successfully!
>
> 7. OpenSSL inspection reveals the following:
>
> $ openssl s_client -showcerts -connect api.hardcodedstudios.com:6984
> CONNECTED(00000003)
> depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/OU=Domain Control Validated/OU=Free SSL/CN=api.hardcodedstudios.com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
> -----BEGIN CERTIFICATE-----
> MIIFajCCBFKgAwIBAgIRAOAPkdtrXA0pEXXJxdvmw1EwDQYJKoZIhvcNAQELBQAw
> gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
> BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
> VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
> Q0EwHhcNMTQxMTEyMDAwMDAwWhcNMTUwMjEwMjM1OTU5WjBZMSEwHwYDVQQLExhE
> b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMSEwHwYD
> VQQDExhhcGkuaGFyZGNvZGVkc3R1ZGlvcy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQChjxfOHkVil17puJBvNEUczbIJ7F9FhV+QX6xzOrjIG+4s
> 7YmcT6Dn1YrggZQBQqdGdbFY7UHnUQaBeMN+i64xzLunGMftRCV7zEqDZkeO431u
> gxJdpDsYIhcPWiWQN8FirOGi9cnxoKYd4rdS4zroY0Eq2/MHo4qCBr/zxIBL2Smc
> 12r/prPrpWqr0CTVP7xLR1J5CsZEReQJBbEHWU1dwDnq1iFVKDnuJASiiXw/D51D
> SOEL5IPJlrQv1L9hcp801k2d6atm2xRfOpIONoAKExVxA2pi/mpJ03MI9PxS+TPs
> dMQDmks3D3hCd8ycAj++iwzNf62VYH+P8BujcaDRAgMBAAGjggHzMIIB7zAfBgNV
> HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUJ17FcWtMxO/e
> 3s6f0VVbXVouJe0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
> BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
> AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
> CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
> Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
> gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
> YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
> dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMEEGA1UdEQQ6
> MDiCGGFwaS5oYXJkY29kZWRzdHVkaW9zLmNvbYIcd3d3LmFwaS5oYXJkY29kZWRz
> dHVkaW9zLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAf4NpZf8D6kepp+ocX/sSz4uF
> J2fRXyjBVaEZBIknBloamrabXJ+T5k3uFfnOZp5Z4RYk5h1G2gymraQ+lrB/rOg9
> exL44CaqfHKx4LNPzxftlhctGIo71s/joxcMv2n5H+CQom9MOdNSf9cwQXG8jF2C
> zAZLGQZCWeB7w4I51hOiAMen+HOJ/RnMQEp8vrcnFeTU5WCt2fwLJ5k1X/fn/JDj
> aVmCXeKb7xMJDvsaTRdJkF/VnXmHIwaOSTR/azVDd3teA8FsWoGWKaLK6PpuHPUR
> VSysIOSUcdoOXYxknMt+9xNWD0d4ssVAG/Dei1DkaNwAGPdRZU8r19+BQ/AeZg==
> -----END CERTIFICATE-----
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Certification Authority
> -----BEGIN CERTIFICATE-----
> MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
> hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
> BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
> MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
> EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
> Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
> bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
> ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
> bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
> Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
> ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
> UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
> c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
> MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
> 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
> HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
> BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
> bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
> AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
> T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
> ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
> mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
> e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
> P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
> dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
> 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
> V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
> HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
> j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
> 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
> lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
> +AZxAeKCINT+b72x
> -----END CERTIFICATE-----
>  2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Certification Authority
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> -----BEGIN CERTIFICATE-----
> MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
> MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
> ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
> eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
> gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
> BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
> VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
> hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
> AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
> 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
> ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
> 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
> m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
> vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
> 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
> IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
> KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
> GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
> s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
> JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
> AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
> MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
> bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
> Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
> zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
> Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
> Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
> B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
> PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
> pu/xO28QOG8=
> -----END CERTIFICATE-----
>  3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> -----BEGIN CERTIFICATE-----
> MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
> MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
> IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
> MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
> FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
> bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
> dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
> H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
> uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
> mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
> a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
> E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
> WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
> VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
> Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
> cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
> IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
> AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
> YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
> 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
> Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
> c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
> mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/OU=Domain Control Validated/OU=Free SSL/CN=
> api.hardcodedstudios.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 6121 bytes and written 328 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> EFD5FF948B7E92D0814CF39EBA936C3BE7A9AA150BBAA046954870A96E247B40
>     Session-ID-ctx:
>     Master-Key:
> 3772949939CCD6FC882EC5D3F08EBEFF881C86CE0E7B4E229D4CD9D84070D2CF3C3A6357E28982363D3B3950F0C74920
>     Key-Arg   : None
>     Start Time: 1415839230
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
>
>
>
>
> --
> Paul Okstad
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message