You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Frédéric Audon <ch...@gmail.com> on 2017/03/14 16:54:23 UTC
CouchDB 2.0 crashing with SSL
Hi,
I have couchDB 2.0 in single node.
I have a crash with SSL
[ssl]
cert_file = /etc/letsencrypt/archive/db1.fidjy.com/cert1.pem
key_file = /etc/letsencrypt/archive/db1.fidjy.com/privkey1.pem
ssl_certificate_max_depth = 1
ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
[info] 2017-03-14T16:49:52.045429Z couchdb@localhost <0.204.0> --------
Starting couch_sup
[error] 2017-03-14T16:49:52.142392Z couchdb@localhost <0.235.0> --------
CRASH REPORT Process (<0.235.0>) with 0 neighbors exited with reason: bad
argument in call to
mochiweb_socket:'-filter_broken_cipher_suites/1-fun-0-'/1(line:41) at
lists:'-filter/2-lc$^0/1-0-'/2(line:1284) <=
mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=
mochiweb_socket:listen/4(line:20) <=
mochiweb_socket_server:listen/3(line:224) <= gen_server:init_it/6(line:306)
<= proc_lib:init_p_do_apply/3(line:237); initial_call:
{mochiweb_socket_server,init,['Argument__1']}, ancestors:
[couch_secondary_services,couch_sup,<0.203.0>], messages: [], links:
[<0.212.0>], dictionary: [], trap_exit: true, status: running, heap_size:
1598, stack_size: 27, reductions: 1459
Cordialement,
Frédéric Audon
Linkedin <https://fr.linkedin.com/in/audonfrederic> Facebook
<https://www.facebook.com/frederic.audon> Twitter
<https://twitter.com/Chavenay> fidjy.com
Re: CouchDB 2.0 crashing with SSL
Posted by Dave Cottlehuber <dc...@skunkwerks.at>.
On Wed, 15 Mar 2017, at 13:06, Frédéric Audon wrote:
> with
>
> ciphers = undefined
> tls_versions = undefined
> secure_renegotiate = undefined
>
> no crash but curl -k https://127.0.0.1:6984/
>
> curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984
Salut Frédéric
Can you please retry with:
curl -vsk https://127.0.0.1:6984/
and post the output?
Also, your acceptable cipher list is very short, can you try this with a
larger list to see if you get the same failure?
If you can build from source, try using the very latest 19.3 erlang
release and a recent OpenSSL and see if that changes -- SSL support is
continually improving in OTP itself.
I generally test SSL in erlang using these (very old) certs:
https://github.com/mochi/mochiweb/tree/master/examples/https as I know
they work, and then swap in my own certs along the way.
In any case the issue is simple: either our mochiweb fork, or the
underlying OTP release + OpenSSL doesn't have sufficient cipher support
for the client you are using. The fix is equally simple - use an SSL
terminator in front, haproxy, nginx for example, and hand plain HTTP to
CouchDB. While it is *possible* to have Couch working reasonably well
without this, you will find as we have, that over time, the SSL support
in OTP can be a long way behind what browsers and API clients expect,
that there can be a significant performance & memory usage gap, and we
have better things to do than fiddling it time & time again or tracking
down exactly what a specific problematic browser needs.
Patching our mochiweb fork is non-trivial, we have some necessary
changes that IIRC since 2.4.0 are not straightforwards to port.
> >> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=
^ this is where things start to go wrong...
> > I use couchdDB 1.6 with SSL. It works very well.
Curious to know if 1.6 uses the same version of OTP & OpenSSL or not.
A+
Dave
Re: CouchDB 2.0 crashing with SSL
Posted by Frédéric Audon <ch...@gmail.com>.
with
ciphers = undefined
tls_versions = undefined
secure_renegotiate = undefined
no crash but curl -k https://127.0.0.1:6984/
curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984
Cordialement,
Frédéric Audon
Linkedin <https://fr.linkedin.com/in/audonfrederic> Facebook
<https://www.facebook.com/frederic.audon> Twitter
<https://twitter.com/Chavenay> fidjy.com
06 34 96 10 54 / 02 51 22 16 85 (perso) / 02 52 67 07 07 (bureau)
2017-03-15 12:08 GMT+01:00 Frédéric Audon <ch...@gmail.com>:
> 2017-03-14 18:28 GMT+01:00 Myles Braithwaite 👾 <me...@mylesbraithwaite.com>:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Frédéric Audon wrote:
>> > I have couchDB 2.0 in single node.
>> >
>> > I have a crash with SSL
>> >
>> > [ssl]
>> > cert_file = /etc/letsencrypt/archive/db1.fidjy.com/cert1.pem
>> > key_file = /etc/letsencrypt/archive/db1.fidjy.com/privkey1.pem
>> > ssl_certificate_max_depth = 1
>> > ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
>> > tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
>> >
>> > [info] 2017-03-14T16:49:52.045429Z couchdb@localhost <0.204.0> --------
>> > Starting couch_sup
>> >
>> > [error] 2017-03-14T16:49:52.142392Z couchdb@localhost <0.235.0>
>> --------
>> > CRASH REPORT Process (<0.235.0>) with 0 neighbors exited with reason:
>> bad
>> > argument in call to
>> > mochiweb_socket:'-filter_broken_cipher_suites/1-fun-0-'/1(line:41) at
>> > lists:'-filter/2-lc$^0/1-0-'/2(line:1284) <=
>> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=
>> > mochiweb_socket:listen/4(line:20) <=
>> > mochiweb_socket_server:listen/3(line:224) <=
>> gen_server:init_it/6(line:306)
>> > <= proc_lib:init_p_do_apply/3(line:237); initial_call:
>> > {mochiweb_socket_server,init,['Argument__1']}, ancestors:
>> > [couch_secondary_services,couch_sup,<0.203.0>], messages: [], links:
>> > [<0.212.0>], dictionary: [], trap_exit: true, status: running,
>> heap_size:
>> > 1598, stack_size: 27, reductions: 1459
>>
>> I think you also have to include the `cacert_file` to use Let's Encrypt,
>> see documentation here:
>> <http://docs.couchdb.org/en/2.0.0/config/http.html#ssl/cacert_file>.
>>
>
> cacert_file
> Path to file containing PEM encoded CA certificates (trusted certificates
> used for verifying a peer certificate). May be omitted if you do not want
> to verify the peer:
> http://docs.couchdb.org/en/1.6.1/config/http.html#ssl/cacert_file
>
>
>> Are you sure that the files
>> `/etc/letsencrypt/archive/db1.fidjy.com/{cert1,privkey1,fullchain1}.pem`
>> <http://db1.fidjy.com/%7Bcert1,privkey1,fullchain1%7D.pem>
>> are all readably by CouchDB user?
>>
>
> Yes, I checked
>
>
>>
>> Also this blog post,
>> <https://medium.com/@silverbackdan/installing-couchdb-2-0-
>> nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.c0kslhcj0>
>> suggest using a proxy like Haproxy or Nginx to handle the SSL instead of
>> CouchDB
>
>
> I use couchdDB 1.6 with SSL. It works very well.
>
>
>> .
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBCAAGBQJYyCgiAAoJEKSaZN9bQjWQeyUQALy3cLB2FzJ1D9zl+okgyDBu
>> lzpwOEgqu7vIJl7Z8KcQ9um96XNhL/nbNtYOkPjVhwcdic8TBx9BAgHHDNack4VF
>> kCOWgIqVhWSX1YvWxi35Ckl47nhDjlSLrA1R06loWtsASq0L/75BMJb6fOvzESjZ
>> ++K3436/YccptuOrjVoHVT42urybkcutwUqMv7ZmmB252S/gzmxtJGHKttHjZWbl
>> V8n/Sle0/fjI15oqK2br/cY4c1VL8sQhojnIeEMxwvzgMi5Ka8BS/32fRctcVrdO
>> PA0omwwCfvW079S3MuQxAb/xyj/RR18DgzHOwDJWlZuFUv7Kg0V9N3/bibb6VSQZ
>> NwOlTwagpcktQebbO7a7exZQTToRHRXJ/Qu4+1ypeMEq/xsR4sPS/2TfoPiNVOrf
>> 8zBu2VJuMcwxMyryptcwJILv6PN90Eg2i8FMbjIqOb8Z8Jn0BORZNFhd8ZoMksba
>> a2f1xmmcF6vkOrH4Lx1APtRFQjayYHDMg/PdVZluOyobXya4PBFrkQPmJzCymHdC
>> boKllXm2rrw21JI8C+DK1XMXS64yovinBcJ4fkbPIT31ese1T5svT0eCofmCFoGR
>> jEDZquUHAXho9xxEROMuthNLBXSBb7JDsOCiOZ+KZdMQkBQ9xY3QroNIZCMZ4hAg
>> WnuU0ynGZPIY7pJrU4KR
>> =W0S3
>> -----END PGP SIGNATURE-----
>>
>>
>
Re: CouchDB 2.0 crashing with SSL
Posted by Frédéric Audon <ch...@gmail.com>.
2017-03-14 18:28 GMT+01:00 Myles Braithwaite 👾 <me...@mylesbraithwaite.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Frédéric Audon wrote:
> > I have couchDB 2.0 in single node.
> >
> > I have a crash with SSL
> >
> > [ssl]
> > cert_file = /etc/letsencrypt/archive/db1.fidjy.com/cert1.pem
> > key_file = /etc/letsencrypt/archive/db1.fidjy.com/privkey1.pem
> > ssl_certificate_max_depth = 1
> > ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
> > tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
> >
> > [info] 2017-03-14T16:49:52.045429Z couchdb@localhost <0.204.0> --------
> > Starting couch_sup
> >
> > [error] 2017-03-14T16:49:52.142392Z couchdb@localhost <0.235.0> --------
> > CRASH REPORT Process (<0.235.0>) with 0 neighbors exited with reason:
> bad
> > argument in call to
> > mochiweb_socket:'-filter_broken_cipher_suites/1-fun-0-'/1(line:41) at
> > lists:'-filter/2-lc$^0/1-0-'/2(line:1284) <=
> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=
> > mochiweb_socket:listen/4(line:20) <=
> > mochiweb_socket_server:listen/3(line:224) <=
> gen_server:init_it/6(line:306)
> > <= proc_lib:init_p_do_apply/3(line:237); initial_call:
> > {mochiweb_socket_server,init,['Argument__1']}, ancestors:
> > [couch_secondary_services,couch_sup,<0.203.0>], messages: [], links:
> > [<0.212.0>], dictionary: [], trap_exit: true, status: running, heap_size:
> > 1598, stack_size: 27, reductions: 1459
>
> I think you also have to include the `cacert_file` to use Let's Encrypt,
> see documentation here:
> <http://docs.couchdb.org/en/2.0.0/config/http.html#ssl/cacert_file>.
>
cacert_file
Path to file containing PEM encoded CA certificates (trusted certificates
used for verifying a peer certificate). May be omitted if you do not want
to verify the peer:
http://docs.couchdb.org/en/1.6.1/config/http.html#ssl/cacert_file
> Are you sure that the files
> `/etc/letsencrypt/archive/db1.fidjy.com/{cert1,privkey1,fullchain1}.pem`
> are all readably by CouchDB user?
>
Yes, I checked
>
> Also this blog post,
> <https://medium.com/@silverbackdan/installing-
> couchdb-2-0-nosql-with-centos-7-and-certbot-lets-encrypt-
> f412198c3051#.c0kslhcj0>
> suggest using a proxy like Haproxy or Nginx to handle the SSL instead of
> CouchDB
I use couchdDB 1.6 with SSL. It works very well.
> .
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBCAAGBQJYyCgiAAoJEKSaZN9bQjWQeyUQALy3cLB2FzJ1D9zl+okgyDBu
> lzpwOEgqu7vIJl7Z8KcQ9um96XNhL/nbNtYOkPjVhwcdic8TBx9BAgHHDNack4VF
> kCOWgIqVhWSX1YvWxi35Ckl47nhDjlSLrA1R06loWtsASq0L/75BMJb6fOvzESjZ
> ++K3436/YccptuOrjVoHVT42urybkcutwUqMv7ZmmB252S/gzmxtJGHKttHjZWbl
> V8n/Sle0/fjI15oqK2br/cY4c1VL8sQhojnIeEMxwvzgMi5Ka8BS/32fRctcVrdO
> PA0omwwCfvW079S3MuQxAb/xyj/RR18DgzHOwDJWlZuFUv7Kg0V9N3/bibb6VSQZ
> NwOlTwagpcktQebbO7a7exZQTToRHRXJ/Qu4+1ypeMEq/xsR4sPS/2TfoPiNVOrf
> 8zBu2VJuMcwxMyryptcwJILv6PN90Eg2i8FMbjIqOb8Z8Jn0BORZNFhd8ZoMksba
> a2f1xmmcF6vkOrH4Lx1APtRFQjayYHDMg/PdVZluOyobXya4PBFrkQPmJzCymHdC
> boKllXm2rrw21JI8C+DK1XMXS64yovinBcJ4fkbPIT31ese1T5svT0eCofmCFoGR
> jEDZquUHAXho9xxEROMuthNLBXSBb7JDsOCiOZ+KZdMQkBQ9xY3QroNIZCMZ4hAg
> WnuU0ynGZPIY7pJrU4KR
> =W0S3
> -----END PGP SIGNATURE-----
>
>
Re: CouchDB 2.0 crashing with SSL
Posted by Myles Braithwaite 👾 <me...@mylesbraithwaite.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Frédéric Audon wrote:
> I have couchDB 2.0 in single node.
>
> I have a crash with SSL
>
> [ssl]
> cert_file = /etc/letsencrypt/archive/db1.fidjy.com/cert1.pem
> key_file = /etc/letsencrypt/archive/db1.fidjy.com/privkey1.pem
> ssl_certificate_max_depth = 1
> ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
> tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
>
> [info] 2017-03-14T16:49:52.045429Z couchdb@localhost <0.204.0> --------
> Starting couch_sup
>
> [error] 2017-03-14T16:49:52.142392Z couchdb@localhost <0.235.0> --------
> CRASH REPORT Process (<0.235.0>) with 0 neighbors exited with reason: bad
> argument in call to
> mochiweb_socket:'-filter_broken_cipher_suites/1-fun-0-'/1(line:41) at
> lists:'-filter/2-lc$^0/1-0-'/2(line:1284) <=
> mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=
> mochiweb_socket:listen/4(line:20) <=
> mochiweb_socket_server:listen/3(line:224) <= gen_server:init_it/6(line:306)
> <= proc_lib:init_p_do_apply/3(line:237); initial_call:
> {mochiweb_socket_server,init,['Argument__1']}, ancestors:
> [couch_secondary_services,couch_sup,<0.203.0>], messages: [], links:
> [<0.212.0>], dictionary: [], trap_exit: true, status: running, heap_size:
> 1598, stack_size: 27, reductions: 1459
I think you also have to include the `cacert_file` to use Let's Encrypt,
see documentation here:
<http://docs.couchdb.org/en/2.0.0/config/http.html#ssl/cacert_file>.
Are you sure that the files
`/etc/letsencrypt/archive/db1.fidjy.com/{cert1,privkey1,fullchain1}.pem`
are all readably by CouchDB user?
Also this blog post,
<https://medium.com/@silverbackdan/installing-couchdb-2-0-nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.c0kslhcj0>
suggest using a proxy like Haproxy or Nginx to handle the SSL instead of
CouchDB.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJYyCgiAAoJEKSaZN9bQjWQeyUQALy3cLB2FzJ1D9zl+okgyDBu
lzpwOEgqu7vIJl7Z8KcQ9um96XNhL/nbNtYOkPjVhwcdic8TBx9BAgHHDNack4VF
kCOWgIqVhWSX1YvWxi35Ckl47nhDjlSLrA1R06loWtsASq0L/75BMJb6fOvzESjZ
++K3436/YccptuOrjVoHVT42urybkcutwUqMv7ZmmB252S/gzmxtJGHKttHjZWbl
V8n/Sle0/fjI15oqK2br/cY4c1VL8sQhojnIeEMxwvzgMi5Ka8BS/32fRctcVrdO
PA0omwwCfvW079S3MuQxAb/xyj/RR18DgzHOwDJWlZuFUv7Kg0V9N3/bibb6VSQZ
NwOlTwagpcktQebbO7a7exZQTToRHRXJ/Qu4+1ypeMEq/xsR4sPS/2TfoPiNVOrf
8zBu2VJuMcwxMyryptcwJILv6PN90Eg2i8FMbjIqOb8Z8Jn0BORZNFhd8ZoMksba
a2f1xmmcF6vkOrH4Lx1APtRFQjayYHDMg/PdVZluOyobXya4PBFrkQPmJzCymHdC
boKllXm2rrw21JI8C+DK1XMXS64yovinBcJ4fkbPIT31ese1T5svT0eCofmCFoGR
jEDZquUHAXho9xxEROMuthNLBXSBb7JDsOCiOZ+KZdMQkBQ9xY3QroNIZCMZ4hAg
WnuU0ynGZPIY7pJrU4KR
=W0S3
-----END PGP SIGNATURE-----