CouchDB 1.6.1 SSL on Windows server 2012

[max <ma...@gmail.com>]

Hi,

I'm trying to install a certificate on Windows server 2012 R2.
First I'd like to install a self-signed certificate. Some years ago I did
it for CouchDB 1.4.1 on a Windows server 2008 so I'm trying to reproduce
what I've done but I'm stuck.
This what I do :
- open IIS and create a self-signed certificate then export it in order to
get a *.pfx file
- transfer this file onto a unix system where I run :

openssl pkcs12 -in file.pfx -clcerts -nokeys -out file.cer
openssl pkcs12 -in file.pfx -nocerts -nodes -out file.key

- transfer *.cer and *.key files to my windows server and edit local.ini :


[daemons]
httpsd = {couch_httpd, start_link, [https]}


[ssl]
port = 6984
cert_file = C:/srv/SSL/tmp/file.cer
key_file = C:/srv/SSL/tmp/file.key
verify_ssl_certificates = false
ssl_certificate_max_depth = 1


- restart couchdb service

- test with :

https://127.0.0.1:6984/_utils/

https://localhost:6984/_utils/

https://myServerName:6984/_utils/


What am I doing wrong ?

Finally I will use a verified certificate. To use it I was given 4
files : ca.crt, certificate.crt, client.key and client.pfx.

Which files am I supposed to use ? I guess the *.pfx but am I supposed
to run the above openssl commands ?


I've done this kind of configurations several times for Ubuntu system
with or without a reverse proxy such as nginx and it was easy.

For Windows it's really really tough but maybe am I missing something
? If you know a reverse proxy I could use for Windows which would
allow me to configure SSL quickly please let me know.


Thanks for any hints.


Max.

Re: CouchDB 1.6.1 SSL on Windows server 2012

[max <ma...@gmail.com>]

Hi,

Thank you for your answer. I finally used Nginx for Windows. I'll have to
do it again in fews days so I'll post any debug information I'll find with
your steps.

Thanks,
Max.

2017-03-18 12:12 GMT+01:00 Dave Cottlehuber <dc...@skunkwerks.at>:

> On Wed, 15 Mar 2017, at 16:30, max wrote:
> > Hi,
> >
> > I'm trying to install a certificate on Windows server 2012 R2.
> > First I'd like to install a self-signed certificate. Some years ago I did
> > it for CouchDB 1.4.1 on a Windows server 2008 so I'm trying to reproduce
> > what I've done but I'm stuck.
> > This what I do :
> > - open IIS and create a self-signed certificate then export it in order
> > to
> > get a *.pfx file
> > - transfer this file onto a unix system where I run :
> >
> > openssl pkcs12 -in file.pfx -clcerts -nokeys -out file.cer
> > openssl pkcs12 -in file.pfx -nocerts -nodes -out file.key
> >
> > - transfer *.cer and *.key files to my windows server and edit local.ini
> > :
> >
> >
> > [daemons]
> > httpsd = {couch_httpd, start_link, [https]}
> >
> >
> > [ssl]
> > port = 6984
> > cert_file = C:/srv/SSL/tmp/file.cer
> > key_file = C:/srv/SSL/tmp/file.key
> > verify_ssl_certificates = false
> > ssl_certificate_max_depth = 1
>
> Hi Max,
>
> Your config looks right, you might throw "" around cert_file / key_file
> but I don't think thats the problem.
>
> https://wiki.apache.org/couchdb/How_to_enable_SSL
>
> still applies to 1.6.1. Start off with the mochiweb certs noted in the
> document as we know they work, and post output of `curl -4vsk
> https://127.0.0.1:6984/` along with whatever garbage is spewed out in
> the couch.log.
>
> It's quite possible that you have a certificate that requires OpenSSL
> features newer than what 1.6.1 was built with at the time, but the
> debugging notes in that URL above will help us see.
>
> A+
> Dave
>
>

Re: CouchDB 1.6.1 SSL on Windows server 2012

[Dave Cottlehuber <dc...@skunkwerks.at>]

On Wed, 15 Mar 2017, at 16:30, max wrote:
> Hi,
> 
> I'm trying to install a certificate on Windows server 2012 R2.
> First I'd like to install a self-signed certificate. Some years ago I did
> it for CouchDB 1.4.1 on a Windows server 2008 so I'm trying to reproduce
> what I've done but I'm stuck.
> This what I do :
> - open IIS and create a self-signed certificate then export it in order
> to
> get a *.pfx file
> - transfer this file onto a unix system where I run :
> 
> openssl pkcs12 -in file.pfx -clcerts -nokeys -out file.cer
> openssl pkcs12 -in file.pfx -nocerts -nodes -out file.key
> 
> - transfer *.cer and *.key files to my windows server and edit local.ini
> :
> 
> 
> [daemons]
> httpsd = {couch_httpd, start_link, [https]}
> 
> 
> [ssl]
> port = 6984
> cert_file = C:/srv/SSL/tmp/file.cer
> key_file = C:/srv/SSL/tmp/file.key
> verify_ssl_certificates = false
> ssl_certificate_max_depth = 1

Hi Max,

Your config looks right, you might throw "" around cert_file / key_file
but I don't think thats the problem.

https://wiki.apache.org/couchdb/How_to_enable_SSL

still applies to 1.6.1. Start off with the mochiweb certs noted in the
document as we know they work, and post output of `curl -4vsk
https://127.0.0.1:6984/` along with whatever garbage is spewed out in
the couch.log.

It's quite possible that you have a certificate that requires OpenSSL
features newer than what 1.6.1 was built with at the time, but the
debugging notes in that URL above will help us see.

A+
Dave