incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <...@apache.org>
Subject Re: Apache couchDB CA signed certificate issues
Date Wed, 12 Jun 2013 14:14:34 GMT
That was the single most problematic CouchDB commit I have ever had to deal
with. (Bob's work was fine; but it forced an introduction I regretted
having.)


On Wed, Jun 12, 2013 at 9:03 PM, Robert Newson <rnewson@apache.org> wrote:

> and by "never", I strictly mean "for a very brief period where I added
> native SSL support to CouchDB in 2010".
>
> B.
>
>
> On 12 June 2013 15:01, Robert Newson <rnewson@apache.org> wrote:
> > I'd recommend haproxy 1.5 anyway, I've never been a big fan of
> > erlang's built-in SSL support (and it has a fairly yucky history of
> > bugs).
> >
> > B.
> >
> >
> > On 11 June 2013 16:48, Andrew Kew <Andrew.Kew@fitchlearning.com> wrote:
> >> Hi
> >>
> >> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu
> 12.10 server in the cloud (AWS). I am trying to get SSL working on my
> couchDB instance.
> >>
> >> The basic SSL setup is very easy. I have placed my certificate and key
> in a directory and uncommented the following lines in my local.ini file
> >>
> >> httpsd = {couch_httpd, start_link, [https]}
> >> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
> >> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
> >> I have also made sure that the ownership on these files is correct.
> >>
> >> This works fine, the couchDB server starts up, you can navigate to
> https://mycouchdbserver.com/_utils/ without a problem.
> >>
> >> Testing using openssl
> >>
> >> openssl s_client -showcerts -connect mycouchdbserver.com:443
> >> Gives the correct result for standard SSL configuration
> >>
> >> When testing the setup on the DigiCert website (the company the SSL
> certs were bought through - test link: http://www.digicert.com/help/) I
> get the following error:
> >>
> >> The server is not sending the required intermediate certificate.
> >>
> >> When purchasing the SSL certificate I obtained an intermediate
> certificate from DigiCert and have downloaded the root cert for DigiCert as
> well.
> >>
> >> In the local.ini config file for couchDB you can use these with the
> following configuration fields:
> >>
> >> verify_ssl_certificates = true
> >> cacert_file = xxxx
> >> My problem is that I cant get this to work and have tried every
> possible combination to get this to work. Here is what I have tried:
> >>
> >> Tried setting cacert_file to the intermediate cert from DigiCert
> >> Tried setting cacert_file to the root certificate in /etc/ssl/certs
> >> Tried adding the root cert from DigiCert website to
> /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to
> install a new root certificate and setting cacert_file to that new pem
> encoded certificate in /etc/ssl/certs
> >> Tried combining the cert and intermediate cert in one file used for
> cert_file
> >> Tried combining the cert, intermediate cert and root cert into 1 pem
> file used for cert_file
> >> All of the above throws errors in the couchDB log. Some give a mass
> amount of output in the errors logs but using number 3, I get
> >>
> >> =ERROR REPORT==== 11-Jun-2013::11:35:30 ===
> >> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
> >>
> >> And testing with openssl I get
> >>
> >> CONNECTED(00000003)
> >> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal
>    error:s3_pkt.c:1099:SSL alert number 80
> >> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> >>
> >> Does anyone have any idea on how to use the verify_ssl_certificates,
> the root certificate and the intermediate certificate correctly with couchDB
> >>
> >> I have read all documentation online and nothing has helped
> >>
> >> Thanks in Advance
> >>
> >> Andrew
> >>
> >>
> >> ______________________________________________________________________
> >> This email has been scanned by the Symantec Email Security.cloud
> service.
> >> For more information please visit http://www.symanteccloud.com
> >> ______________________________________________________________________
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message