couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Power <Michael.Po...@ELOTOUCH.com>
Subject TLS client certificates internal error
Date Tue, 08 Dec 2015 01:58:13 GMT
Hello,

I am trying to get couchdb to work with client certificates.  I can’t seem to get it to
work.  I am getting an internal error from couchdb.

Here is how I am currently trying to connect:

openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem


This is what I get in response:

CONNECTED(00000003)

139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL
alert number 80

139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

…



I can see this in the couchdb log:

[Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: ssl_handshake.erl:154:Fatal
error: internal error


I know my files work because I can run my own ssl server on the same port:

openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert /etc/couchdb/couchdb.cert.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2



For couchdb if I disable client certificates in the configuration everything works:

verify_ssl_certificates = false


openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem

…

hello

HTTP/1.1 400 Bad Request

Server: MochiWeb/1.0 (Any of you quaids got a smint?)

Date: Tue, 08 Dec 2015 01:50:33 GMT

Content-Length: 0


closed


Here is what my ssl configuration looks like:

[daemons]

httpsd = {couch_httpd, start_link, [https]}

[ssl]

verify_ssl_certificates = true

ssl_certificate_max_depth = 2

cert_file = /etc/couchdb/couchdb.cert.pem

key_file = /etc/couchdb/private/couchdb.key.pem

cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem


Some other information:

/etc/couchdb/local.d$ couchdb -V

couchdb - Apache CouchDB 1.5.0


/etc/couchdb/local.d$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 14.04.1 LTS

Release: 14.04

Codename: trusty


/etc/couchdb/local.d$ dpkg -s couchdb

Package: couchdb

Status: install ok installed

Priority: optional

Section: misc

Installed-Size: 95

Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>

Architecture: all

Version: 1.5.0-0ubuntu1

Replaces: couchdb-bin (<= 1.0.1-0ubuntu18)

Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart

Conffiles:

 /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458

 /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d

 /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511

Description: RESTful document oriented database - system-wide instance

 Apache CouchDB is a distributed, fault-tolerant and schema-free

 document-oriented database accessible via a RESTful HTTP/JSON API. Among other

 features, it provides robust, incremental replication with bi-directional

 conflict detection and resolution, and is queryable and indexable using a

 table-oriented view engine with JavaScript acting as the default view

 definition language.

 .

 CouchDB is written in Erlang, but can be easily accessed from any environment

 that provides means to make HTTP requests. There are a multitude of third-party

 client libraries that make this even easier for a variety of programming

 languages and environments.

 .

 This package adds the Upstart job and other items needed for a system-wide

 CouchDB instance that is started at boot.

Homepage: http://couchdb.apache.org/

Original-Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>


What do I need to do to enable client certificates?


Michael Power
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message