You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Bill <bi...@noteandgo.com> on 2012/09/26 05:20:39 UTC

SSL problems

I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I have
a certificate from GoDaddy that I'm trying to use. I put the cert, two 
intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I 
specified the path to that file in the "cert_file" entry in the couchdb config. I
also set up the "key_file" entry to point to my key file. However, after
restarting couchdb, ssl is  unable to connect. When I try

curl -v https://myserver:6984/

I get the following message

* About to connect() to myserver port 6984 (#0)
* Trying myserer... connected
* Connected to myserver (myserver) port 6984 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CAPath: none
* NSS error -5938
Closing connection #0
* SSL connect error

It's able to connect without SSL just fine. Does anyone have any idea what I'm
doing wrong or tips to get this working?

Thanks,
Bill


Re: SSL problems

Posted by Robert Newson <rn...@apache.org>.
To be honest, I would recommend using stunnel in front of CouchDB
instead of the built-in erlang SSL module.

B.

On 26 September 2012 08:25, Benoit Chesneau <bc...@gmail.com> wrote:
> On Wed, Sep 26, 2012 at 5:20 AM, Bill <bi...@noteandgo.com> wrote:
>> I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I have
>> a certificate from GoDaddy that I'm trying to use. I put the cert, two
>> intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
>> specified the path to that file in the "cert_file" entry in the couchdb config. I
>> also set up the "key_file" entry to point to my key file. However, after
>> restarting couchdb, ssl is  unable to connect. When I try
>>
>> curl -v https://myserver:6984/
>>
>> I get the following message
>>
>> * About to connect() to myserver port 6984 (#0)
>> * Trying myserer... connected
>> * Connected to myserver (myserver) port 6984 (#0)
>> * Initializing NSS with certpath: /etc/pki/nssdb
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>  CAPath: none
>> * NSS error -5938
>> Closing connection #0
>> * SSL connect error
>>
>> It's able to connect without SSL just fine. Does anyone have any idea what I'm
>> doing wrong or tips to get this working?
>>
>> Thanks,
>> Bill
>>
>
> How did you configured it? also did you concat the bundle with the cert?
>
> - benoît

Re: SSL problems

Posted by Benoit Chesneau <bc...@gmail.com>.
On Wed, Sep 26, 2012 at 5:20 AM, Bill <bi...@noteandgo.com> wrote:
> I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I have
> a certificate from GoDaddy that I'm trying to use. I put the cert, two
> intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
> specified the path to that file in the "cert_file" entry in the couchdb config. I
> also set up the "key_file" entry to point to my key file. However, after
> restarting couchdb, ssl is  unable to connect. When I try
>
> curl -v https://myserver:6984/
>
> I get the following message
>
> * About to connect() to myserver port 6984 (#0)
> * Trying myserer... connected
> * Connected to myserver (myserver) port 6984 (#0)
> * Initializing NSS with certpath: /etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CAPath: none
> * NSS error -5938
> Closing connection #0
> * SSL connect error
>
> It's able to connect without SSL just fine. Does anyone have any idea what I'm
> doing wrong or tips to get this working?
>
> Thanks,
> Bill
>

How did you configured it? also did you concat the bundle with the cert?

- benoît

Re: SSL problems

Posted by Dave Cottlehuber <dc...@jsonified.com>.
On 26 September 2012 19:36, Bill <bi...@noteandgo.com> wrote:
> Dave Cottlehuber <dc...@...> writes:
>
>>
>> On 26 September 2012 05:20, Bill <bi...@...> wrote:
>> > I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I
> have
>> > a certificate from GoDaddy that I'm trying to use. I put the cert, two
>> > intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
>> > specified the path to that file in the "cert_file" entry in the couchdb
> config. I
>> > also set up the "key_file" entry to point to my key file. However, after
>> > restarting couchdb, ssl is  unable to connect. When I try
>> >
>> > curl -v https://myserver:6984/
>> >
>> > I get the following message
>> >
>> > * About to connect() to myserver port 6984 (#0)
>> > * Trying myserer... connected
>> > * Connected to myserver (myserver) port 6984 (#0)
>> > * Initializing NSS with certpath: /etc/pki/nssdb
>> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> >  CAPath: none
>> > * NSS error -5938
>> > Closing connection #0
>> > * SSL connect error
>> >
>> > It's able to connect without SSL just fine. Does anyone have any idea what
> I'm
>> > doing wrong or tips to get this working?
>> >
>> > Thanks,
>> > Bill
>> >
>>
>> Hi Bill,
>>
>> I would suggest 2 things to check[1]:
>>
>> - use the mochiweb test certs to confirm that you've got couchdb set
>> up correctly
>> -  confirm your certs work using openssl, both with & without the -k
>> option (validity chain)
>>
>> It's possible that you are running into one of the limitations of
>> various erlang versions, I am not up to speed but I'd suggest
>> re-testing with R15B02 once the first checks are working. Do keep us
>> posted so we can keep the wiki up to date.
>>
>> A+
>> Dave
>>
>> [1]: http://wiki.apache.org/couchdb/How_to_enable_SSL
>>
>>
>
> Hi Dave,
>
> Thanks for the suggestions. I was able to verify both the checks you suggested.
> I'm able to successfully run couchdb with a self-signed cert. And I used openssl
> to confirm that the certs work, both with and without the -k option. Are there
> any other checks you can recommend? I can post my log file errors in a few hours
> when I get back home if people think that would be helpful.
>
> The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2
> so maybe there's a erlang problem associated with that version? Is there an

It's likely quite an old release, so maybe - hard to say. OTP has
moved quite a bit in recent releases. Anyway I'd go with Bob's
recommendation on stunnel for production.

> alternative to Single Server since it's discontinued? I would love to upgrade to
> CouchDB 1.2 if I can do it without too much trouble. I've always just run
> CouchDB with Single Server and hadn't had any issue until trying to get SSL
> working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm
> hesitant to build it myself. Is there a simple way to get a CouchDB server
> running with v1.2 without building it myself.

What's your platform?

There's mac & windows binaries on http://couchdb.apache.org/#download
and https://github.com/iriscouch/build-couchdb for the rest. We'll be
happy to help you through this -- once your toolchain is set up source
is not a big hassle. IRC is a good place for questions while you're
hacking away.

A+
Dave

Re: SSL problems

Posted by Bill <bi...@noteandgo.com>.
Dave Cottlehuber <dc...@...> writes:

> 
> On 26 September 2012 05:20, Bill <bi...@...> wrote:
> > I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I 
have
> > a certificate from GoDaddy that I'm trying to use. I put the cert, two
> > intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
> > specified the path to that file in the "cert_file" entry in the couchdb 
config. I
> > also set up the "key_file" entry to point to my key file. However, after
> > restarting couchdb, ssl is  unable to connect. When I try
> >
> > curl -v https://myserver:6984/
> >
> > I get the following message
> >
> > * About to connect() to myserver port 6984 (#0)
> > * Trying myserer... connected
> > * Connected to myserver (myserver) port 6984 (#0)
> > * Initializing NSS with certpath: /etc/pki/nssdb
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >  CAPath: none
> > * NSS error -5938
> > Closing connection #0
> > * SSL connect error
> >
> > It's able to connect without SSL just fine. Does anyone have any idea what 
I'm
> > doing wrong or tips to get this working?
> >
> > Thanks,
> > Bill
> >
> 
> Hi Bill,
> 
> I would suggest 2 things to check[1]:
> 
> - use the mochiweb test certs to confirm that you've got couchdb set
> up correctly
> -  confirm your certs work using openssl, both with & without the -k
> option (validity chain)
> 
> It's possible that you are running into one of the limitations of
> various erlang versions, I am not up to speed but I'd suggest
> re-testing with R15B02 once the first checks are working. Do keep us
> posted so we can keep the wiki up to date.
> 
> A+
> Dave
> 
> [1]: http://wiki.apache.org/couchdb/How_to_enable_SSL
> 
> 

Hi Dave,

Thanks for the suggestions. I was able to verify both the checks you suggested. 
I'm able to successfully run couchdb with a self-signed cert. And I used openssl 
to confirm that the certs work, both with and without the -k option. Are there 
any other checks you can recommend? I can post my log file errors in a few hours 
when I get back home if people think that would be helpful.

The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2 
so maybe there's a erlang problem associated with that version? Is there an 
alternative to Single Server since it's discontinued? I would love to upgrade to 
CouchDB 1.2 if I can do it without too much trouble. I've always just run 
CouchDB with Single Server and hadn't had any issue until trying to get SSL 
working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm 
hesitant to build it myself. Is there a simple way to get a CouchDB server 
running with v1.2 without building it myself.

Thanks,
Bill


Re: SSL problems

Posted by Dave Cottlehuber <dc...@jsonified.com>.
On 26 September 2012 05:20, Bill <bi...@noteandgo.com> wrote:
> I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I have
> a certificate from GoDaddy that I'm trying to use. I put the cert, two
> intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
> specified the path to that file in the "cert_file" entry in the couchdb config. I
> also set up the "key_file" entry to point to my key file. However, after
> restarting couchdb, ssl is  unable to connect. When I try
>
> curl -v https://myserver:6984/
>
> I get the following message
>
> * About to connect() to myserver port 6984 (#0)
> * Trying myserer... connected
> * Connected to myserver (myserver) port 6984 (#0)
> * Initializing NSS with certpath: /etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CAPath: none
> * NSS error -5938
> Closing connection #0
> * SSL connect error
>
> It's able to connect without SSL just fine. Does anyone have any idea what I'm
> doing wrong or tips to get this working?
>
> Thanks,
> Bill
>

Hi Bill,

I would suggest 2 things to check[1]:

- use the mochiweb test certs to confirm that you've got couchdb set
up correctly
-  confirm your certs work using openssl, both with & without the -k
option (validity chain)

It's possible that you are running into one of the limitations of
various erlang versions, I am not up to speed but I'd suggest
re-testing with R15B02 once the first checks are working. Do keep us
posted so we can keep the wiki up to date.

A+
Dave

[1]: http://wiki.apache.org/couchdb/How_to_enable_SSL

Re: SSL problems

Posted by Keith Gable <zi...@ignition-project.com>.
NSS error -5938 is "End of file error", as in the server killed the stream
abruptly.

(see: http://lxr.mozilla.org/nspr/source/nsprpub/pr/include/prerr.h for a
list of NSS errors)

Check the couch logs, because your client connecting doesn't have any
additional details. You might use OpenSSL's s_client to debug the SSL
connection (see:
http://rackerhacker.com/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/)
on your client.

---
Keith Gable
A+ Certified Professional
Network+ Certified Professional
Storage+ Certified Professional
Mobile Application Developer / Web Developer



On Tue, Sep 25, 2012 at 10:20 PM, Bill <bi...@noteandgo.com> wrote:

> I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I
> have
> a certificate from GoDaddy that I'm trying to use. I put the cert, two
> intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
> specified the path to that file in the "cert_file" entry in the couchdb
> config. I
> also set up the "key_file" entry to point to my key file. However, after
> restarting couchdb, ssl is  unable to connect. When I try
>
> curl -v https://myserver:6984/
>
> I get the following message
>
> * About to connect() to myserver port 6984 (#0)
> * Trying myserer... connected
> * Connected to myserver (myserver) port 6984 (#0)
> * Initializing NSS with certpath: /etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>  CAPath: none
> * NSS error -5938
> Closing connection #0
> * SSL connect error
>
> It's able to connect without SSL just fine. Does anyone have any idea what
> I'm
> doing wrong or tips to get this working?
>
> Thanks,
> Bill
>
>