[GitHub] artin-phares opened a new issue #1179: intermediate certs cut out of cert_file

[GitBox <gi...@apache.org>]

artin-phares opened a new issue #1179: intermediate certs cut out of cert_file
URL: https://github.com/apache/couchdb/issues/1179
 
 
   I'm configuring https access to couchdb using letsencrypt certificates.  
   
   ```
   [ssl]
   port = 6984
   cert_file = /etc/letsencrypt/live/mydomain/fullchain.pem
   key_file = /etc/letsencrypt/live/mydomain/privkey.pem
   ```
   
   It works when I'm requesting couchdb from browser, but does not work when requesting from nodejs.  
   ```
   RequestError: Error: unable to verify the first certificate
   ```
   
   Which means couchdb strips intermediate certificates from full chain.  
   I've ensured that with `openssl s_client -connect mydomain:6984 -showcerts`  
   
   So browser has all intermediate certificates in its trusted certs store, while nodejs lacks some and therefore it fails to verify the chain.  
   
   I've managed to get it working with `cacert_file` option, passing chain explicitly.  
   
   ```
   [ssl]
   port = 6984
   cert_file = /etc/letsencrypt/live/mydomain/cert.pem
   cacert_file = /etc/letsencrypt/live/mydomain/chain.pem
   key_file = /etc/letsencrypt/live/mydomain/privkey.pem
   ```
   
   Is there any way couchdb can accept fullchain.pem's right in `cert_file`, without need to specify `cacert_file `?
   
   It would be bit easier and closer to nodejs, where we can pass full chain to cert:
   ```
   https.createServer({key: ...'privkey.pem', cert: ...'fullchain.pem'})
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services