You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/06/25 08:30:03 UTC
[GitHub] [couchdb] raulmartinezr opened a new issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
raulmartinezr opened a new issue #2966:
URL: https://github.com/apache/couchdb/issues/2966
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
## Description
I try to configure client certificate authentication in the following scenario with couchDB 3.1.0
"Server" -> CouchDB (single-node)
"Client" -> CouchDB (single-node) where I configure bidirecctional replication, to and from server Couch DB (push+pull)
But it's failing. Messages found in logs....
Client couchdb instance (the side which manages replication)
TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA
Server couchdb instance
TLS server: In state certify received CLIENT ALERT: Fatal - Handshake Failure
## Steps to Reproduce
- Configure client and server couchDB instances as described in environment
- Configure replication in client instance (bidirecctional, push and pull)
- Replication fails
## Expected Behaviour
Replication should work. I tested connectivity with curl and openssl with the same setup, and both are working
```bash
sudo curl --url https://192.168.1.66:6984/database/ \
--key /opt/couchdb/etc/ssl/node-71.client.key.pem \
--cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
--cacert /opt/couchdb/etc/ssl/ca-chain.cert.pem --insecure
{"error":"unauthorized","reason":"You are not authorized to access this db."}
```
```bash
sudo openssl s_client -connect 192.168.1.66:6984 \
-key /opt/couchdb/etc/ssl/node-71.client.key.pem \
-cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
-CAfile /opt/couchdb/etc/ssl/ca-chain.cert.pem
CONNECTED(00000005)
```
## Your Environment
Client
[ssl]
enable = true
cert_file = /opt/couchdb/etc/ssl/node-71.server.cert.pem
key_file = /opt/couchdb/etc/ssl/node-71.server.key.pem
verify_ssl_certificates = true
fail_if_no_peer_cert = false
cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
[replicator]
cert_file = /opt/couchdb/etc/ssl/node-71.client.cert.pem
key_file = /opt/couchdb/etc/ssl/node-71.client.key.pem
;# Avoid hostanme check failed
verify_ssl_certificates = false
ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
ssl_certificate_max_depth = 5
Server
[ssl]
enable = true
cert_file = /opt/couchdb/etc/ssl/node-66.server.cert.pem
key_file = /opt/couchdb/etc/ssl/node-66.server.key.pem
verify_ssl_certificates = true
fail_if_no_peer_cert = true
cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
[replicator]
cert_file = /opt/couchdb/etc/ssl/node-66.client.cert.pem
key_file = /opt/couchdb/etc/ssl/node-66.client.key.pem
verify_ssl_certificates = false
ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
* CouchDB version used: 3.1.0
* Browser name and version:
* Operating system and version: Ubuntu 18.04
## Additional Context
[TIP]: # ( Add any other context about the problem here. )
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] raulmartinezr commented on issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
Posted by GitBox <gi...@apache.org>.
raulmartinezr commented on issue #2966:
URL: https://github.com/apache/couchdb/issues/2966#issuecomment-649675232
Yep, I created initial one as "help" by mistake. Maybe I would have been better to close "help" instead of "bug"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] janl commented on issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
Posted by GitBox <gi...@apache.org>.
janl commented on issue #2966:
URL: https://github.com/apache/couchdb/issues/2966#issuecomment-649675956
I marked it “help” — we still need to determine if it is a bug
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] janl commented on issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
Posted by GitBox <gi...@apache.org>.
janl commented on issue #2966:
URL: https://github.com/apache/couchdb/issues/2966#issuecomment-649399891
duplicate of https://github.com/apache/couchdb/discussions/2964
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] janl closed issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation
Posted by GitBox <gi...@apache.org>.
janl closed issue #2966:
URL: https://github.com/apache/couchdb/issues/2966
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org