You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Raja <ra...@gmail.com> on 2016/04/27 19:58:39 UTC
CouchDB crashing with SSL
Hi
We recently enabled SSL on CouchDB 1.6.1. Suddenly, it seems to be throwing
errors in the log when viewing even the main url on Futon. The errors are
shown in
https://gist.github.com/rajasaur/747ca711810c22e7780b3288c659f216
1. This was working till last week (http also works perfectly now).
2. Doing a curl seems to make it work:
curl -XGET https://user:password@server:6984
returns {"couchdb":"Welcome","uuid":"de859c6bd13c708e759abc283f67f3c4","version":"1.6.1","vendor":{"version":"1.6.1","name":"The
Apache Software Foundation"}}
but hitting https://<server>:6984 on the browser throws the above mentioned
stack trace. Why would it fail using a browser but not with curl. Doing a
verbose with Curl indicated that it was negotiating using TLS 1.2
connection. I tried to force using --tlsv1.0, --tlsv1.1 and --tlsv1.2 to
curl to see if I can simulate the browser failure but it worked fine in all
cases.
3. Setup local.ini to have tls_version = [ 'tlsv1.2' ], but same result.
Browsing some of the older discussions suggests a upgrade of Erl (we use
Erlang OTP/R16B03-1). Is there anything else I should be looking before
going the upgrade route?
Thanks a lot for the help
Raja
Re: CouchDB 2.0 HTTPS won't start & crash
Posted by co...@lechat.org.
ooppps, sure it's Debian 8.4 ... running in lxc container/pve 4.9.2-10
Regards,
Thierry
Le 06/10/2016 � 11:12, couchdb@lechat.org a �crit :
> Hi,
>
> I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
> Everything works fine with http 5984, great couchdb ! Thank you all
> for your long and hard work !
>
> But when I uncomment local.ini line :
>
> httpsd = {couch_httpd, start_link, [https]}
>
> and putting ssl cert_file and key_file path in config as described in
> docs,
>
> couchdb won't start anymore and crash immediately with this log :
>
> [error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0>
> -------- Supervisor couch_secondary_services had child httpsd started
> with couch_httpd:start_link(https) at undefined exit with reason
> {'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}}
> in context start_error
>
> I'have triple checked all file permissions of cert files and path to
> be sure the issue is not on this side.
>
>
> Does somebody could point me in a direction to understand what is
> happening ? Bad arg undefined '.' is not really understandable.
>
> Thank you by advance if somebody can help.
>
> Regards,
>
> Thierry.
Re: CouchDB 2.0 HTTPS won't start & crash
Posted by Robert Samuel Newson <rn...@apache.org>.
it does if you declare the right module;
you have;
httpsd = {couch_httpd, start_link, [https]}
but you need
httpsd = {chttpd, start_link, [https]}
B.
> On 8 Oct 2016, at 01:04, couchdb@lechat.org wrote:
>
> Hi Robert,
>
> Thanks a lot for your quick reply, I can confirm that this is now starting with these three settings in local.ini
>
> My plan is to put couchdb behind a load balancer, so I'm not worry abour ssllabs test but thank you for this information.
>
> One more things, httpds doesn't take in account the bind_adress directive put in [chttpd]. It stays with localhost.
> I tried to add bind_adress = 0.0.0.0 in [ssl] or in [chttpds] but no success.
>
> Is there another directive or section to bind ssl port 6984 to oustide world (-; ?
>
> Thank you again.
>
> Regrads,
>
> Thierry
>
>
> Le 07/10/2016 à 20:59, Robert Samuel Newson a écrit :
>> This is a bug in 2.0 that's been fixed already (COUCHDB-3162), but here's a workaround;
>>
>> in local.ini add;
>>
>> [ssl]
>> ciphers = undefined
>> tls_versions = undefined
>> secure_renegotiate = undefined
>>
>> This will give you the default settings. You can obviously customise these to suit.
>>
>> NOTE: the default cipher suite that erlang will give will not give you the best rating from ssllabs.com, you'll need to exclude weaker options to get to A- grade.
>>
>>
>>> On 6 Oct 2016, at 10:12, couchdb@lechat.org wrote:
>>>
>>> Hi,
>>>
>>> I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
>>> Everything works fine with http 5984, great couchdb ! Thank you all for your long and hard work !
>>>
>>> But when I uncomment local.ini line :
>>>
>>> httpsd = {couch_httpd, start_link, [https]}
>>>
>>> and putting ssl cert_file and key_file path in config as described in docs,
>>>
>>> couchdb won't start anymore and crash immediately with this log :
>>>
>>> [error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> -------- Supervisor couch_secondary_services had child httpsd started with couch_httpd:start_link(https) at undefined exit with reason {'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}} in context start_error
>>>
>>> I'have triple checked all file permissions of cert files and path to be sure the issue is not on this side.
>>>
>>>
>>> Does somebody could point me in a direction to understand what is happening ? Bad arg undefined '.' is not really understandable.
>>>
>>> Thank you by advance if somebody can help.
>>>
>>> Regards,
>>>
>>> Thierry.
>
Re: CouchDB 2.0 HTTPS won't start & crash
Posted by co...@lechat.org.
Hi Robert,
Thanks a lot for your quick reply, I can confirm that this is now
starting with these three settings in local.ini
My plan is to put couchdb behind a load balancer, so I'm not worry abour
ssllabs test but thank you for this information.
One more things, httpds doesn't take in account the bind_adress
directive put in [chttpd]. It stays with localhost.
I tried to add bind_adress = 0.0.0.0 in [ssl] or in [chttpds] but no
success.
Is there another directive or section to bind ssl port 6984 to oustide
world (-; ?
Thank you again.
Regrads,
Thierry
Le 07/10/2016 20:59, Robert Samuel Newson a crit :
> This is a bug in 2.0 that's been fixed already (COUCHDB-3162), but here's a workaround;
>
> in local.ini add;
>
> [ssl]
> ciphers = undefined
> tls_versions = undefined
> secure_renegotiate = undefined
>
> This will give you the default settings. You can obviously customise these to suit.
>
> NOTE: the default cipher suite that erlang will give will not give you the best rating from ssllabs.com, you'll need to exclude weaker options to get to A- grade.
>
>
>> On 6 Oct 2016, at 10:12, couchdb@lechat.org wrote:
>>
>> Hi,
>>
>> I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
>> Everything works fine with http 5984, great couchdb ! Thank you all for your long and hard work !
>>
>> But when I uncomment local.ini line :
>>
>> httpsd = {couch_httpd, start_link, [https]}
>>
>> and putting ssl cert_file and key_file path in config as described in docs,
>>
>> couchdb won't start anymore and crash immediately with this log :
>>
>> [error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> -------- Supervisor couch_secondary_services had child httpsd started with couch_httpd:start_link(https) at undefined exit with reason {'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}} in context start_error
>>
>> I'have triple checked all file permissions of cert files and path to be sure the issue is not on this side.
>>
>>
>> Does somebody could point me in a direction to understand what is happening ? Bad arg undefined '.' is not really understandable.
>>
>> Thank you by advance if somebody can help.
>>
>> Regards,
>>
>> Thierry.
Re: CouchDB 2.0 HTTPS won't start & crash
Posted by Robert Samuel Newson <rn...@apache.org>.
This is a bug in 2.0 that's been fixed already (COUCHDB-3162), but here's a workaround;
in local.ini add;
[ssl]
ciphers = undefined
tls_versions = undefined
secure_renegotiate = undefined
This will give you the default settings. You can obviously customise these to suit.
NOTE: the default cipher suite that erlang will give will not give you the best rating from ssllabs.com, you'll need to exclude weaker options to get to A- grade.
> On 6 Oct 2016, at 10:12, couchdb@lechat.org wrote:
>
> Hi,
>
> I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
> Everything works fine with http 5984, great couchdb ! Thank you all for your long and hard work !
>
> But when I uncomment local.ini line :
>
> httpsd = {couch_httpd, start_link, [https]}
>
> and putting ssl cert_file and key_file path in config as described in docs,
>
> couchdb won't start anymore and crash immediately with this log :
>
> [error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> -------- Supervisor couch_secondary_services had child httpsd started with couch_httpd:start_link(https) at undefined exit with reason {'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}} in context start_error
>
> I'have triple checked all file permissions of cert files and path to be sure the issue is not on this side.
>
>
> Does somebody could point me in a direction to understand what is happening ? Bad arg undefined '.' is not really understandable.
>
> Thank you by advance if somebody can help.
>
> Regards,
>
> Thierry.
CouchDB 2.0 HTTPS won't start & crash
Posted by co...@lechat.org.
Hi,
I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
Everything works fine with http 5984, great couchdb ! Thank you all for
your long and hard work !
But when I uncomment local.ini line :
httpsd = {couch_httpd, start_link, [https]}
and putting ssl cert_file and key_file path in config as described in docs,
couchdb won't start anymore and crash immediately with this log :
[error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> --------
Supervisor couch_secondary_services had child httpsd started with
couch_httpd:start_link(https) at undefined exit with reason
{'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}}
in context start_error
I'have triple checked all file permissions of cert files and path to be
sure the issue is not on this side.
Does somebody could point me in a direction to understand what is
happening ? Bad arg undefined '.' is not really understandable.
Thank you by advance if somebody can help.
Regards,
Thierry.
Re: CouchDB crashing with SSL
Posted by Sinan Gabel <si...@gmail.com>.
Sounds good, else place e.g. Nginx with SSL in front of CouchDB.
Best,
Sinan
On 28 April 2016 at 15:05, Raja <ra...@gmail.com> wrote:
> Upgrading to Erlang 18 solved this issue. I can successfully connect from
> my browsers as well as Couchbase Lite.
>
> On Wed, Apr 27, 2016 at 11:28 PM, Raja <ra...@gmail.com> wrote:
>
> > Hi
> >
> > We recently enabled SSL on CouchDB 1.6.1. Suddenly, it seems to be
> > throwing errors in the log when viewing even the main url on Futon. The
> > errors are shown in
> > https://gist.github.com/rajasaur/747ca711810c22e7780b3288c659f216
> >
> > 1. This was working till last week (http also works perfectly now).
> > 2. Doing a curl seems to make it work:
> >
> > curl -XGET https://user:password@server:6984
> >
> > returns
> {"couchdb":"Welcome","uuid":"de859c6bd13c708e759abc283f67f3c4","version":"1.6.1","vendor":{"version":"1.6.1","name":"The
> > Apache Software Foundation"}}
> >
> > but hitting https://<server>:6984 on the browser throws the above
> > mentioned stack trace. Why would it fail using a browser but not with
> curl.
> > Doing a verbose with Curl indicated that it was negotiating using TLS 1.2
> > connection. I tried to force using --tlsv1.0, --tlsv1.1 and --tlsv1.2 to
> > curl to see if I can simulate the browser failure but it worked fine in
> all
> > cases.
> >
> > 3. Setup local.ini to have tls_version = [ 'tlsv1.2' ], but same result.
> >
> >
> > Browsing some of the older discussions suggests a upgrade of Erl (we use
> > Erlang OTP/R16B03-1). Is there anything else I should be looking before
> > going the upgrade route?
> >
> >
> > Thanks a lot for the help
> >
> > Raja
> >
>
>
>
> --
> Raja
> rajasaur at gmail.com
>
Re: CouchDB crashing with SSL
Posted by Raja <ra...@gmail.com>.
Upgrading to Erlang 18 solved this issue. I can successfully connect from
my browsers as well as Couchbase Lite.
On Wed, Apr 27, 2016 at 11:28 PM, Raja <ra...@gmail.com> wrote:
> Hi
>
> We recently enabled SSL on CouchDB 1.6.1. Suddenly, it seems to be
> throwing errors in the log when viewing even the main url on Futon. The
> errors are shown in
> https://gist.github.com/rajasaur/747ca711810c22e7780b3288c659f216
>
> 1. This was working till last week (http also works perfectly now).
> 2. Doing a curl seems to make it work:
>
> curl -XGET https://user:password@server:6984
>
> returns {"couchdb":"Welcome","uuid":"de859c6bd13c708e759abc283f67f3c4","version":"1.6.1","vendor":{"version":"1.6.1","name":"The
> Apache Software Foundation"}}
>
> but hitting https://<server>:6984 on the browser throws the above
> mentioned stack trace. Why would it fail using a browser but not with curl.
> Doing a verbose with Curl indicated that it was negotiating using TLS 1.2
> connection. I tried to force using --tlsv1.0, --tlsv1.1 and --tlsv1.2 to
> curl to see if I can simulate the browser failure but it worked fine in all
> cases.
>
> 3. Setup local.ini to have tls_version = [ 'tlsv1.2' ], but same result.
>
>
> Browsing some of the older discussions suggests a upgrade of Erl (we use
> Erlang OTP/R16B03-1). Is there anything else I should be looking before
> going the upgrade route?
>
>
> Thanks a lot for the help
>
> Raja
>
--
Raja
rajasaur at gmail.com