incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <...@jsonified.com>
Subject Re: SSL problems
Date Wed, 26 Sep 2012 19:55:48 GMT
On 26 September 2012 19:36, Bill <bill.foshay@noteandgo.com> wrote:
> Dave Cottlehuber <dch@...> writes:
>
>>
>> On 26 September 2012 05:20, Bill <bill.foshay@...> wrote:
>> > I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I
> have
>> > a certificate from GoDaddy that I'm trying to use. I put the cert, two
>> > intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
>> > specified the path to that file in the "cert_file" entry in the couchdb
> config. I
>> > also set up the "key_file" entry to point to my key file. However, after
>> > restarting couchdb, ssl is  unable to connect. When I try
>> >
>> > curl -v https://myserver:6984/
>> >
>> > I get the following message
>> >
>> > * About to connect() to myserver port 6984 (#0)
>> > * Trying myserer... connected
>> > * Connected to myserver (myserver) port 6984 (#0)
>> > * Initializing NSS with certpath: /etc/pki/nssdb
>> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> >  CAPath: none
>> > * NSS error -5938
>> > Closing connection #0
>> > * SSL connect error
>> >
>> > It's able to connect without SSL just fine. Does anyone have any idea what
> I'm
>> > doing wrong or tips to get this working?
>> >
>> > Thanks,
>> > Bill
>> >
>>
>> Hi Bill,
>>
>> I would suggest 2 things to check[1]:
>>
>> - use the mochiweb test certs to confirm that you've got couchdb set
>> up correctly
>> -  confirm your certs work using openssl, both with & without the -k
>> option (validity chain)
>>
>> It's possible that you are running into one of the limitations of
>> various erlang versions, I am not up to speed but I'd suggest
>> re-testing with R15B02 once the first checks are working. Do keep us
>> posted so we can keep the wiki up to date.
>>
>> A+
>> Dave
>>
>> [1]: http://wiki.apache.org/couchdb/How_to_enable_SSL
>>
>>
>
> Hi Dave,
>
> Thanks for the suggestions. I was able to verify both the checks you suggested.
> I'm able to successfully run couchdb with a self-signed cert. And I used openssl
> to confirm that the certs work, both with and without the -k option. Are there
> any other checks you can recommend? I can post my log file errors in a few hours
> when I get back home if people think that would be helpful.
>
> The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2
> so maybe there's a erlang problem associated with that version? Is there an

It's likely quite an old release, so maybe - hard to say. OTP has
moved quite a bit in recent releases. Anyway I'd go with Bob's
recommendation on stunnel for production.

> alternative to Single Server since it's discontinued? I would love to upgrade to
> CouchDB 1.2 if I can do it without too much trouble. I've always just run
> CouchDB with Single Server and hadn't had any issue until trying to get SSL
> working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm
> hesitant to build it myself. Is there a simple way to get a CouchDB server
> running with v1.2 without building it myself.

What's your platform?

There's mac & windows binaries on http://couchdb.apache.org/#download
and https://github.com/iriscouch/build-couchdb for the rest. We'll be
happy to help you through this -- once your toolchain is set up source
is not a big hassle. IRC is a good place for questions while you're
hacking away.

A+
Dave

Mime
View raw message