incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Apache couchDB CA signed certificate issues
Date Wed, 12 Jun 2013 14:03:25 GMT
and by "never", I strictly mean "for a very brief period where I added
native SSL support to CouchDB in 2010".

B.


On 12 June 2013 15:01, Robert Newson <rnewson@apache.org> wrote:
> I'd recommend haproxy 1.5 anyway, I've never been a big fan of
> erlang's built-in SSL support (and it has a fairly yucky history of
> bugs).
>
> B.
>
>
> On 11 June 2013 16:48, Andrew Kew <Andrew.Kew@fitchlearning.com> wrote:
>> Hi
>>
>> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server
in the cloud (AWS). I am trying to get SSL working on my couchDB instance.
>>
>> The basic SSL setup is very easy. I have placed my certificate and key in a directory
and uncommented the following lines in my local.ini file
>>
>> httpsd = {couch_httpd, start_link, [https]}
>> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
>> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
>> I have also made sure that the ownership on these files is correct.
>>
>> This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/
without a problem.
>>
>> Testing using openssl
>>
>> openssl s_client -showcerts -connect mycouchdbserver.com:443
>> Gives the correct result for standard SSL configuration
>>
>> When testing the setup on the DigiCert website (the company the SSL certs were bought
through - test link: http://www.digicert.com/help/) I get the following error:
>>
>> The server is not sending the required intermediate certificate.
>>
>> When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert
and have downloaded the root cert for DigiCert as well.
>>
>> In the local.ini config file for couchDB you can use these with the following configuration
fields:
>>
>> verify_ssl_certificates = true
>> cacert_file = xxxx
>> My problem is that I cant get this to work and have tried every possible combination
to get this to work. Here is what I have tried:
>>
>> Tried setting cacert_file to the intermediate cert from DigiCert
>> Tried setting cacert_file to the root certificate in /etc/ssl/certs
>> Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then
running dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file
to that new pem encoded certificate in /etc/ssl/certs
>> Tried combining the cert and intermediate cert in one file used for cert_file
>> Tried combining the cert, intermediate cert and root cert into 1 pem file used for
cert_file
>> All of the above throws errors in the couchDB log. Some give a mass amount of output
in the errors logs but using number 3, I get
>>
>> =ERROR REPORT==== 11-Jun-2013::11:35:30 ===
>> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
>>
>> And testing with openssl I get
>>
>> CONNECTED(00000003)
>> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal    error:s3_pkt.c:1099:SSL
alert number 80
>> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
>>
>> Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate
and the intermediate certificate correctly with couchDB
>>
>> I have read all documentation online and nothing has helped
>>
>> Thanks in Advance
>>
>> Andrew
>>
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________

Mime
View raw message