incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Kew <Andrew....@fitchlearning.com>
Subject Apache couchDB CA signed certificate issues
Date Tue, 11 Jun 2013 15:48:16 GMT
Hi

I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server in the cloud
(AWS). I am trying to get SSL working on my couchDB instance.

The basic SSL setup is very easy. I have placed my certificate and key in a directory and
uncommented the following lines in my local.ini file

httpsd = {couch_httpd, start_link, [https]}
cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
I have also made sure that the ownership on these files is correct.

This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/
without a problem.

Testing using openssl

openssl s_client -showcerts -connect mycouchdbserver.com:443
Gives the correct result for standard SSL configuration

When testing the setup on the DigiCert website (the company the SSL certs were bought through
- test link: http://www.digicert.com/help/) I get the following error:

The server is not sending the required intermediate certificate.

When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert and
have downloaded the root cert for DigiCert as well.

In the local.ini config file for couchDB you can use these with the following configuration
fields:

verify_ssl_certificates = true
cacert_file = xxxx
My problem is that I cant get this to work and have tried every possible combination to get
this to work. Here is what I have tried:

Tried setting cacert_file to the intermediate cert from DigiCert
Tried setting cacert_file to the root certificate in /etc/ssl/certs
Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then running
dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file
to that new pem encoded certificate in /etc/ssl/certs
Tried combining the cert and intermediate cert in one file used for cert_file
Tried combining the cert, intermediate cert and root cert into 1 pem file used for cert_file
All of the above throws errors in the couchDB log. Some give a mass amount of output in the
errors logs but using number 3, I get

=ERROR REPORT==== 11-Jun-2013::11:35:30 ===
SSL: hello: ssl_handshake.erl:252:Fatal error: internal error

And testing with openssl I get

CONNECTED(00000003)
16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal    error:s3_pkt.c:1099:SSL
alert number 80
16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate
and the intermediate certificate correctly with couchDB

I have read all documentation online and nothing has helped

Thanks in Advance

Andrew


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message