couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Power <>
Subject TLS client certificates internal error
Date Tue, 08 Dec 2015 01:58:13 GMT

I am trying to get couchdb to work with client certificates.  I can’t seem to get it to
work.  I am getting an internal error from couchdb.

Here is how I am currently trying to connect:

openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem

This is what I get in response:


139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL
alert number 80

139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


I can see this in the couchdb log:

[Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: ssl_handshake.erl:154:Fatal
error: internal error

I know my files work because I can run my own ssl server on the same port:

openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert /etc/couchdb/couchdb.cert.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2

For couchdb if I disable client certificates in the configuration everything works:

verify_ssl_certificates = false

openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem



HTTP/1.1 400 Bad Request

Server: MochiWeb/1.0 (Any of you quaids got a smint?)

Date: Tue, 08 Dec 2015 01:50:33 GMT

Content-Length: 0


Here is what my ssl configuration looks like:


httpsd = {couch_httpd, start_link, [https]}


verify_ssl_certificates = true

ssl_certificate_max_depth = 2

cert_file = /etc/couchdb/couchdb.cert.pem

key_file = /etc/couchdb/private/couchdb.key.pem

cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem

Some other information:

/etc/couchdb/local.d$ couchdb -V

couchdb - Apache CouchDB 1.5.0

/etc/couchdb/local.d$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 14.04.1 LTS

Release: 14.04

Codename: trusty

/etc/couchdb/local.d$ dpkg -s couchdb

Package: couchdb

Status: install ok installed

Priority: optional

Section: misc

Installed-Size: 95

Maintainer: Ubuntu Developers <>

Architecture: all

Version: 1.5.0-0ubuntu1

Replaces: couchdb-bin (<= 1.0.1-0ubuntu18)

Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart


 /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458

 /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d

 /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511

Description: RESTful document oriented database - system-wide instance

 Apache CouchDB is a distributed, fault-tolerant and schema-free

 document-oriented database accessible via a RESTful HTTP/JSON API. Among other

 features, it provides robust, incremental replication with bi-directional

 conflict detection and resolution, and is queryable and indexable using a

 table-oriented view engine with JavaScript acting as the default view

 definition language.


 CouchDB is written in Erlang, but can be easily accessed from any environment

 that provides means to make HTTP requests. There are a multitude of third-party

 client libraries that make this even easier for a variety of programming

 languages and environments.


 This package adds the Upstart job and other items needed for a system-wide

 CouchDB instance that is started at boot.


Original-Maintainer: Laszlo Boszormenyi (GCS) <>

What do I need to do to enable client certificates?

Michael Power
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message