You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Andrew Kew <An...@fitchlearning.com> on 2013/06/11 17:48:16 UTC
Apache couchDB CA signed certificate issues
Hi
I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server in the cloud (AWS). I am trying to get SSL working on my couchDB instance.
The basic SSL setup is very easy. I have placed my certificate and key in a directory and uncommented the following lines in my local.ini file
httpsd = {couch_httpd, start_link, [https]}
cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
I have also made sure that the ownership on these files is correct.
This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/ without a problem.
Testing using openssl
openssl s_client -showcerts -connect mycouchdbserver.com:443
Gives the correct result for standard SSL configuration
When testing the setup on the DigiCert website (the company the SSL certs were bought through - test link: http://www.digicert.com/help/) I get the following error:
The server is not sending the required intermediate certificate.
When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert and have downloaded the root cert for DigiCert as well.
In the local.ini config file for couchDB you can use these with the following configuration fields:
verify_ssl_certificates = true
cacert_file = xxxx
My problem is that I cant get this to work and have tried every possible combination to get this to work. Here is what I have tried:
Tried setting cacert_file to the intermediate cert from DigiCert
Tried setting cacert_file to the root certificate in /etc/ssl/certs
Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file to that new pem encoded certificate in /etc/ssl/certs
Tried combining the cert and intermediate cert in one file used for cert_file
Tried combining the cert, intermediate cert and root cert into 1 pem file used for cert_file
All of the above throws errors in the couchDB log. Some give a mass amount of output in the errors logs but using number 3, I get
=ERROR REPORT==== 11-Jun-2013::11:35:30 ===
SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
And testing with openssl I get
CONNECTED(00000003)
16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1099:SSL alert number 80
16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate and the intermediate certificate correctly with couchDB
I have read all documentation online and nothing has helped
Thanks in Advance
Andrew
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: Apache couchDB CA signed certificate issues
Posted by Robert Newson <rn...@apache.org>.
Sander,
It depends on your erlang version. I think SSL support from R15
onwards is pretty good, but that came long after the problems we've
seen with SSL in production (under load). YMMV.
Basically, CouchDB's support for SSL is dependent on the quality of
SSL support in erlang itself.
B.
On 12 June 2013 15:28, Sander Dijkhuis <ma...@sanderdijkhuis.nl> wrote:
> What kind of problems should I expect with native SSL? I’ve just set up CouchDB with a self-signed certificate, and that seems to work fine for my purposes.
>
> If it’s advised against, maybe this manual page should mention that:
> http://docs.couchdb.org/en/latest/configuring.html#native-ssl-support
>
> On Jun 12, 2013, at 16:14 , Jason Smith <jh...@apache.org> wrote:
>
>> That was the single most problematic CouchDB commit I have ever had to deal
>> with. (Bob's work was fine; but it forced an introduction I regretted
>> having.)
>>
>>
>> On Wed, Jun 12, 2013 at 9:03 PM, Robert Newson <rn...@apache.org> wrote:
>>
>>> and by "never", I strictly mean "for a very brief period where I added
>>> native SSL support to CouchDB in 2010".
>>>
>>> B.
>>>
>>>
>>> On 12 June 2013 15:01, Robert Newson <rn...@apache.org> wrote:
>>>> I'd recommend haproxy 1.5 anyway, I've never been a big fan of
>>>> erlang's built-in SSL support (and it has a fairly yucky history of
>>>> bugs).
>>>>
>>>> B.
Re: Apache couchDB CA signed certificate issues
Posted by Sander Dijkhuis <ma...@sanderdijkhuis.nl>.
What kind of problems should I expect with native SSL? I’ve just set up CouchDB with a self-signed certificate, and that seems to work fine for my purposes.
If it’s advised against, maybe this manual page should mention that:
http://docs.couchdb.org/en/latest/configuring.html#native-ssl-support
On Jun 12, 2013, at 16:14 , Jason Smith <jh...@apache.org> wrote:
> That was the single most problematic CouchDB commit I have ever had to deal
> with. (Bob's work was fine; but it forced an introduction I regretted
> having.)
>
>
> On Wed, Jun 12, 2013 at 9:03 PM, Robert Newson <rn...@apache.org> wrote:
>
>> and by "never", I strictly mean "for a very brief period where I added
>> native SSL support to CouchDB in 2010".
>>
>> B.
>>
>>
>> On 12 June 2013 15:01, Robert Newson <rn...@apache.org> wrote:
>>> I'd recommend haproxy 1.5 anyway, I've never been a big fan of
>>> erlang's built-in SSL support (and it has a fairly yucky history of
>>> bugs).
>>>
>>> B.
Re: Apache couchDB CA signed certificate issues
Posted by Jason Smith <jh...@apache.org>.
That was the single most problematic CouchDB commit I have ever had to deal
with. (Bob's work was fine; but it forced an introduction I regretted
having.)
On Wed, Jun 12, 2013 at 9:03 PM, Robert Newson <rn...@apache.org> wrote:
> and by "never", I strictly mean "for a very brief period where I added
> native SSL support to CouchDB in 2010".
>
> B.
>
>
> On 12 June 2013 15:01, Robert Newson <rn...@apache.org> wrote:
> > I'd recommend haproxy 1.5 anyway, I've never been a big fan of
> > erlang's built-in SSL support (and it has a fairly yucky history of
> > bugs).
> >
> > B.
> >
> >
> > On 11 June 2013 16:48, Andrew Kew <An...@fitchlearning.com> wrote:
> >> Hi
> >>
> >> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu
> 12.10 server in the cloud (AWS). I am trying to get SSL working on my
> couchDB instance.
> >>
> >> The basic SSL setup is very easy. I have placed my certificate and key
> in a directory and uncommented the following lines in my local.ini file
> >>
> >> httpsd = {couch_httpd, start_link, [https]}
> >> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
> >> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
> >> I have also made sure that the ownership on these files is correct.
> >>
> >> This works fine, the couchDB server starts up, you can navigate to
> https://mycouchdbserver.com/_utils/ without a problem.
> >>
> >> Testing using openssl
> >>
> >> openssl s_client -showcerts -connect mycouchdbserver.com:443
> >> Gives the correct result for standard SSL configuration
> >>
> >> When testing the setup on the DigiCert website (the company the SSL
> certs were bought through - test link: http://www.digicert.com/help/) I
> get the following error:
> >>
> >> The server is not sending the required intermediate certificate.
> >>
> >> When purchasing the SSL certificate I obtained an intermediate
> certificate from DigiCert and have downloaded the root cert for DigiCert as
> well.
> >>
> >> In the local.ini config file for couchDB you can use these with the
> following configuration fields:
> >>
> >> verify_ssl_certificates = true
> >> cacert_file = xxxx
> >> My problem is that I cant get this to work and have tried every
> possible combination to get this to work. Here is what I have tried:
> >>
> >> Tried setting cacert_file to the intermediate cert from DigiCert
> >> Tried setting cacert_file to the root certificate in /etc/ssl/certs
> >> Tried adding the root cert from DigiCert website to
> /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to
> install a new root certificate and setting cacert_file to that new pem
> encoded certificate in /etc/ssl/certs
> >> Tried combining the cert and intermediate cert in one file used for
> cert_file
> >> Tried combining the cert, intermediate cert and root cert into 1 pem
> file used for cert_file
> >> All of the above throws errors in the couchDB log. Some give a mass
> amount of output in the errors logs but using number 3, I get
> >>
> >> =ERROR REPORT==== 11-Jun-2013::11:35:30 ===
> >> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
> >>
> >> And testing with openssl I get
> >>
> >> CONNECTED(00000003)
> >> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal
> error:s3_pkt.c:1099:SSL alert number 80
> >> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> >>
> >> Does anyone have any idea on how to use the verify_ssl_certificates,
> the root certificate and the intermediate certificate correctly with couchDB
> >>
> >> I have read all documentation online and nothing has helped
> >>
> >> Thanks in Advance
> >>
> >> Andrew
> >>
> >>
> >> ______________________________________________________________________
> >> This email has been scanned by the Symantec Email Security.cloud
> service.
> >> For more information please visit http://www.symanteccloud.com
> >> ______________________________________________________________________
>
Re: Apache couchDB CA signed certificate issues
Posted by Robert Newson <rn...@apache.org>.
and by "never", I strictly mean "for a very brief period where I added
native SSL support to CouchDB in 2010".
B.
On 12 June 2013 15:01, Robert Newson <rn...@apache.org> wrote:
> I'd recommend haproxy 1.5 anyway, I've never been a big fan of
> erlang's built-in SSL support (and it has a fairly yucky history of
> bugs).
>
> B.
>
>
> On 11 June 2013 16:48, Andrew Kew <An...@fitchlearning.com> wrote:
>> Hi
>>
>> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server in the cloud (AWS). I am trying to get SSL working on my couchDB instance.
>>
>> The basic SSL setup is very easy. I have placed my certificate and key in a directory and uncommented the following lines in my local.ini file
>>
>> httpsd = {couch_httpd, start_link, [https]}
>> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
>> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
>> I have also made sure that the ownership on these files is correct.
>>
>> This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/ without a problem.
>>
>> Testing using openssl
>>
>> openssl s_client -showcerts -connect mycouchdbserver.com:443
>> Gives the correct result for standard SSL configuration
>>
>> When testing the setup on the DigiCert website (the company the SSL certs were bought through - test link: http://www.digicert.com/help/) I get the following error:
>>
>> The server is not sending the required intermediate certificate.
>>
>> When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert and have downloaded the root cert for DigiCert as well.
>>
>> In the local.ini config file for couchDB you can use these with the following configuration fields:
>>
>> verify_ssl_certificates = true
>> cacert_file = xxxx
>> My problem is that I cant get this to work and have tried every possible combination to get this to work. Here is what I have tried:
>>
>> Tried setting cacert_file to the intermediate cert from DigiCert
>> Tried setting cacert_file to the root certificate in /etc/ssl/certs
>> Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file to that new pem encoded certificate in /etc/ssl/certs
>> Tried combining the cert and intermediate cert in one file used for cert_file
>> Tried combining the cert, intermediate cert and root cert into 1 pem file used for cert_file
>> All of the above throws errors in the couchDB log. Some give a mass amount of output in the errors logs but using number 3, I get
>>
>> =ERROR REPORT==== 11-Jun-2013::11:35:30 ===
>> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
>>
>> And testing with openssl I get
>>
>> CONNECTED(00000003)
>> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1099:SSL alert number 80
>> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
>>
>> Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate and the intermediate certificate correctly with couchDB
>>
>> I have read all documentation online and nothing has helped
>>
>> Thanks in Advance
>>
>> Andrew
>>
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
Re: Apache couchDB CA signed certificate issues
Posted by Robert Newson <rn...@apache.org>.
I'd recommend haproxy 1.5 anyway, I've never been a big fan of
erlang's built-in SSL support (and it has a fairly yucky history of
bugs).
B.
On 11 June 2013 16:48, Andrew Kew <An...@fitchlearning.com> wrote:
> Hi
>
> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server in the cloud (AWS). I am trying to get SSL working on my couchDB instance.
>
> The basic SSL setup is very easy. I have placed my certificate and key in a directory and uncommented the following lines in my local.ini file
>
> httpsd = {couch_httpd, start_link, [https]}
> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
> I have also made sure that the ownership on these files is correct.
>
> This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/ without a problem.
>
> Testing using openssl
>
> openssl s_client -showcerts -connect mycouchdbserver.com:443
> Gives the correct result for standard SSL configuration
>
> When testing the setup on the DigiCert website (the company the SSL certs were bought through - test link: http://www.digicert.com/help/) I get the following error:
>
> The server is not sending the required intermediate certificate.
>
> When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert and have downloaded the root cert for DigiCert as well.
>
> In the local.ini config file for couchDB you can use these with the following configuration fields:
>
> verify_ssl_certificates = true
> cacert_file = xxxx
> My problem is that I cant get this to work and have tried every possible combination to get this to work. Here is what I have tried:
>
> Tried setting cacert_file to the intermediate cert from DigiCert
> Tried setting cacert_file to the root certificate in /etc/ssl/certs
> Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file to that new pem encoded certificate in /etc/ssl/certs
> Tried combining the cert and intermediate cert in one file used for cert_file
> Tried combining the cert, intermediate cert and root cert into 1 pem file used for cert_file
> All of the above throws errors in the couchDB log. Some give a mass amount of output in the errors logs but using number 3, I get
>
> =ERROR REPORT==== 11-Jun-2013::11:35:30 ===
> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
>
> And testing with openssl I get
>
> CONNECTED(00000003)
> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1099:SSL alert number 80
> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
>
> Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate and the intermediate certificate correctly with couchDB
>
> I have read all documentation online and nothing has helped
>
> Thanks in Advance
>
> Andrew
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________