You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/06/24 10:00:05 UTC
[GitHub] [couchdb] raulmartinezr opened a new issue #2964: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
raulmartinezr opened a new issue #2964:
URL: https://github.com/apache/couchdb/issues/2964
Hi,
I try to configure client certificate authentication in the following scenario with couchDB 3.1.0
- Server CouchDB
- Client CouchDB where I configure bidirecctional replication, to and from server Couch DB (push+pull)
However, when everything seems to be well configured I see the following errors
Client side
```
TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA
```
Server Side
```
TLS server: In state certify received CLIENT ALERT: Fatal - Handshake Failure
```
It **seems client does not trust server CA**, but it should do. I reproduced the same connecttion with openssl and curl, and it's working in both cases
```bash
sudo curl --url https://192.168.1.66:6984/database/ \
--key /opt/couchdb/etc/ssl/node-71.client.key.pem \
--cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
--cacert /opt/couchdb/etc/ssl/ca-chain.cert.pem --insecure
{"error":"unauthorized","reason":"You are not authorized to access this db."}
```
```bash
sudo openssl s_client -connect 192.168.1.66:6984 \
-key /opt/couchdb/etc/ssl/node-71.client.key.pem \
-cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
-CAfile /opt/couchdb/etc/ssl/ca-chain.cert.pem
CONNECTED(00000005)
....
```
**Below relevant configuration in both sides**, client and server
_Remark: all certificates are signed by same intermediate CA (all have the same validation path) and both, root and intermediate CAs are included in /opt/couchdb/etc/ssl/ca-chain.cert.pem_
**Client**
```bash
[ssl]
enable = true
cert_file = /opt/couchdb/etc/ssl/node-71.server.cert.pem
key_file = /opt/couchdb/etc/ssl/node-71.server.key.pem
verify_ssl_certificates = true
fail_if_no_peer_cert = false
cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
[replicator]
cert_file = /opt/couchdb/etc/ssl/node-71.client.cert.pem
key_file = /opt/couchdb/etc/ssl/node-71.client.key.pem
;# Avoid hostanme check failed
verify_ssl_certificates = false
ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
ssl_certificate_max_depth = 5
```
**Server**
```bash
[ssl]
enable = true
cert_file = /opt/couchdb/etc/ssl/node-66.server.cert.pem
key_file = /opt/couchdb/etc/ssl/node-66.server.key.pem
verify_ssl_certificates = true
fail_if_no_peer_cert = true
cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
[replicator]
cert_file = /opt/couchdb/etc/ssl/node-66.client.cert.pem
key_file = /opt/couchdb/etc/ssl/node-66.client.key.pem
verify_ssl_certificates = false
ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] janl closed issue #2964: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
Posted by GitBox <gi...@apache.org>.
janl closed issue #2964:
URL: https://github.com/apache/couchdb/issues/2964
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org