You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by dj...@apache.org on 2013/05/20 08:56:32 UTC
[3/8] git commit: updated refs/heads/master to 7d1533e
docs: move section on SSL support into configuration chapter
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/00520c36
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/00520c36
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/00520c36
Branch: refs/heads/master
Commit: 00520c3639db9ac4ee9b137cb82085168738719e
Parents: 7ba4c73
Author: Dirkjan Ochtman <dj...@apache.org>
Authored: Mon May 20 08:53:25 2013 +0200
Committer: Dirkjan Ochtman <dj...@apache.org>
Committed: Mon May 20 08:53:25 2013 +0200
----------------------------------------------------------------------
share/doc/src/configuring.rst | 98 ++++++++++++++++++++++++++++++++
share/doc/src/index.rst | 1 -
share/doc/src/ssl.rst | 109 ------------------------------------
3 files changed, 98 insertions(+), 110 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/00520c36/share/doc/src/configuring.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/configuring.rst b/share/doc/src/configuring.rst
index 168a51f..c364417 100644
--- a/share/doc/src/configuring.rst
+++ b/share/doc/src/configuring.rst
@@ -185,3 +185,101 @@ see :ref:`http-proxying`. For further background on the OS Daemon service, see
`CouchDB Externals API`_.
.. _CouchDB Externals API: http://davispj.com/2010/09/26/new-couchdb-externals-api.html
+
+Native SSL Support
+==================
+
+CouchDB |version| supports SSL natively. All your secure connection needs can
+now be served without needing to setup and maintain a separate proxy server
+that handles SSL.
+
+SSL setup can be tricky, but the configuration in CouchDB was designed
+to be as easy as possible. All you need is two files; a certificate and
+a private key. If you bought an official SSL certificate from a
+certificate authority, both should be in your possession already.
+
+If you just want to try this out and don't want to pay anything upfront,
+you can create a self-signed certificate. Everything will work the same,
+but clients will get a warning about an insecure certificate.
+
+You will need the OpenSSL command line tool installed. It probably
+already is.
+
+::
+
+ shell> mkdir cert && cd cert
+ shell> openssl genrsa > privkey.pem
+ shell> openssl req -new -x509 -key privkey.pem -out mycert.pem -days 1095
+ shell> ls
+ mycert.pem privkey.pem
+
+Now, you need to edit CouchDB's configuration, either by editing your
+``local.ini`` file or using the ``/_config`` API calls or the
+configuration screen in Futon. Here is what you need to do in
+``local.ini``, you can infer what needs doing in the other places.
+
+Be sure to make these edits. Under ``[daemons]`` you should see:
+
+::
+
+ ; enable SSL support by uncommenting the following line and supply the PEM's below.
+ ; the default ssl port CouchDB listens on is 6984
+ ;httpsd = {couch_httpd, start_link, [https]}
+
+Here uncomment the last line:
+
+::
+
+ httpsd = {couch_httpd, start_link, [https]}
+
+Next, under ``[ssl]`` you will see:
+
+::
+
+ ;cert_file = /full/path/to/server_cert.pem
+ ;key_file = /full/path/to/server_key.pem
+
+Uncomment and adjust the paths so it matches your system's paths:
+
+::
+
+ cert_file = /home/jan/cert/mycert.pem
+ key_file = /home/jan/cert/privkey.pem
+
+For more information please read
+`http://www.openssl.org/docs/HOWTO/certificates.txt`_.
+
+Now start (or restart) CouchDB. You should be able to connect to it
+using HTTPS on port 6984:
+
+::
+
+ shell> curl https://127.0.0.1:6984/
+ curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
+ error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+ More details here: http://curl.haxx.se/docs/sslcerts.html
+
+ curl performs SSL certificate verification by default, using a "bundle"
+ of Certificate Authority (CA) public keys (CA certs). If the default
+ bundle file isn't adequate, you can specify an alternate file
+ using the --cacert option.
+ If this HTTPS server uses a certificate signed by a CA represented in
+ the bundle, the certificate verification probably failed due to a
+ problem with the certificate (it might be expired, or the name might
+ not match the domain name in the URL).
+ If you'd like to turn off curl's verification of the certificate, use
+ the -k (or --insecure) option.
+
+Oh no what happened?! — Remember, clients will notify their users that
+your certificate is self signed. ``curl`` is the client in this case and
+it notifies you. Luckily you trust yourself (don't you?) and you can
+specify the ``-k`` option as the message reads:
+
+::
+
+ shell> curl -k https://127.0.0.1:6984/
+ {"couchdb":"Welcome","version":"|version|"}
+
+All done.
+
+.. _`http://www.openssl.org/docs/HOWTO/certificates.txt`: http://www.openssl.org/docs/HOWTO/certificates.txt
http://git-wip-us.apache.org/repos/asf/couchdb/blob/00520c36/share/doc/src/index.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/index.rst b/share/doc/src/index.rst
index 63cc94f..c8b4749 100644
--- a/share/doc/src/index.rst
+++ b/share/doc/src/index.rst
@@ -31,7 +31,6 @@ Contents
api-basics
pretty_urls
configuring
- ssl
http-proxying
config_reference
replication
http://git-wip-us.apache.org/repos/asf/couchdb/blob/00520c36/share/doc/src/ssl.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/ssl.rst b/share/doc/src/ssl.rst
deleted file mode 100644
index 3a546d8..0000000
--- a/share/doc/src/ssl.rst
+++ /dev/null
@@ -1,109 +0,0 @@
-.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
-.. use this file except in compliance with the License. You may obtain a copy of
-.. the License at
-..
-.. http://www.apache.org/licenses/LICENSE-2.0
-..
-.. Unless required by applicable law or agreed to in writing, software
-.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-.. License for the specific language governing permissions and limitations under
-.. the License.
-
-Native SSL Support
-==================
-
-CouchDB |version| supports SSL natively. All your secure connection needs can
-now be served without needing to setup and maintain a separate proxy server
-that handles SSL.
-
-SSL setup can be tricky, but the configuration in CouchDB was designed
-to be as easy as possible. All you need is two files; a certificate and
-a private key. If you bought an official SSL certificate from a
-certificate authority, both should be in your possession already.
-
-If you just want to try this out and don't want to pay anything upfront,
-you can create a self-signed certificate. Everything will work the same,
-but clients will get a warning about an insecure certificate.
-
-You will need the OpenSSL command line tool installed. It probably
-already is.
-
-::
-
- shell> mkdir cert && cd cert
- shell> openssl genrsa > privkey.pem
- shell> openssl req -new -x509 -key privkey.pem -out mycert.pem -days 1095
- shell> ls
- mycert.pem privkey.pem
-
-Now, you need to edit CouchDB's configuration, either by editing your
-``local.ini`` file or using the ``/_config`` API calls or the
-configuration screen in Futon. Here is what you need to do in
-``local.ini``, you can infer what needs doing in the other places.
-
-Be sure to make these edits. Under ``[daemons]`` you should see:
-
-::
-
- ; enable SSL support by uncommenting the following line and supply the PEM's below.
- ; the default ssl port CouchDB listens on is 6984
- ;httpsd = {couch_httpd, start_link, [https]}
-
-Here uncomment the last line:
-
-::
-
- httpsd = {couch_httpd, start_link, [https]}
-
-Next, under ``[ssl]`` you will see:
-
-::
-
- ;cert_file = /full/path/to/server_cert.pem
- ;key_file = /full/path/to/server_key.pem
-
-Uncomment and adjust the paths so it matches your system's paths:
-
-::
-
- cert_file = /home/jan/cert/mycert.pem
- key_file = /home/jan/cert/privkey.pem
-
-For more information please read
-`http://www.openssl.org/docs/HOWTO/certificates.txt`_.
-
-Now start (or restart) CouchDB. You should be able to connect to it
-using HTTPS on port 6984:
-
-::
-
- shell> curl https://127.0.0.1:6984/
- curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- More details here: http://curl.haxx.se/docs/sslcerts.html
-
- curl performs SSL certificate verification by default, using a "bundle"
- of Certificate Authority (CA) public keys (CA certs). If the default
- bundle file isn't adequate, you can specify an alternate file
- using the --cacert option.
- If this HTTPS server uses a certificate signed by a CA represented in
- the bundle, the certificate verification probably failed due to a
- problem with the certificate (it might be expired, or the name might
- not match the domain name in the URL).
- If you'd like to turn off curl's verification of the certificate, use
- the -k (or --insecure) option.
-
-Oh no what happened?! — Remember, clients will notify their users that
-your certificate is self signed. ``curl`` is the client in this case and
-it notifies you. Luckily you trust yourself (don't you?) and you can
-specify the ``-k`` option as the message reads:
-
-::
-
- shell> curl -k https://127.0.0.1:6984/
- {"couchdb":"Welcome","version":"|version|"}
-
-All done.
-
-.. _`http://www.openssl.org/docs/HOWTO/certificates.txt`: http://www.openssl.org/docs/HOWTO/certificates.txt