SSL problems
1,233 views
Skip to first unread message
Bill
Sep 25, 2012, 11:20:39 PM9/25/12
to us...@couchdb.apache.org
I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I have
a certificate from GoDaddy that I'm trying to use. I put the cert, two
intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
specified the path to that file in the "cert_file" entry in the couchdb config. I
also set up the "key_file" entry to point to my key file. However, after
restarting couchdb, ssl is unable to connect. When I try
curl -v https://myserver:6984/
I get the following message
* About to connect() to myserver port 6984 (#0)
* Trying myserer... connected
* Connected to myserver (myserver) port 6984 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CAPath: none
* NSS error -5938
Closing connection #0
* SSL connect error
It's able to connect without SSL just fine. Does anyone have any idea what I'm
doing wrong or tips to get this working?
Thanks,
Bill
a certificate from GoDaddy that I'm trying to use. I put the cert, two
intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I
specified the path to that file in the "cert_file" entry in the couchdb config. I
also set up the "key_file" entry to point to my key file. However, after
restarting couchdb, ssl is unable to connect. When I try
curl -v https://myserver:6984/
I get the following message
* About to connect() to myserver port 6984 (#0)
* Trying myserer... connected
* Connected to myserver (myserver) port 6984 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CAPath: none
* NSS error -5938
Closing connection #0
* SSL connect error
It's able to connect without SSL just fine. Does anyone have any idea what I'm
doing wrong or tips to get this working?
Thanks,
Bill
Keith Gable
Sep 25, 2012, 11:46:55 PM9/25/12
to us...@couchdb.apache.org
NSS error -5938 is "End of file error", as in the server killed the stream
abruptly.
(see: http://lxr.mozilla.org/nspr/source/nsprpub/pr/include/prerr.h for a
list of NSS errors)
Check the couch logs, because your client connecting doesn't have any
additional details. You might use OpenSSL's s_client to debug the SSL
connection (see:
http://rackerhacker.com/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/)
on your client.
---
Keith Gable
A+ Certified Professional
Network+ Certified Professional
Storage+ Certified Professional
Mobile Application Developer / Web Developer
abruptly.
(see: http://lxr.mozilla.org/nspr/source/nsprpub/pr/include/prerr.h for a
list of NSS errors)
Check the couch logs, because your client connecting doesn't have any
additional details. You might use OpenSSL's s_client to debug the SSL
connection (see:
http://rackerhacker.com/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/)
on your client.
---
Keith Gable
A+ Certified Professional
Network+ Certified Professional
Storage+ Certified Professional
Mobile Application Developer / Web Developer
Dave Cottlehuber
Sep 26, 2012, 3:07:53 AM9/26/12
to us...@couchdb.apache.org
I would suggest 2 things to check[1]:
- use the mochiweb test certs to confirm that you've got couchdb set
up correctly
- confirm your certs work using openssl, both with & without the -k
option (validity chain)
It's possible that you are running into one of the limitations of
various erlang versions, I am not up to speed but I'd suggest
re-testing with R15B02 once the first checks are working. Do keep us
posted so we can keep the wiki up to date.
A+
Dave
[1]: http://wiki.apache.org/couchdb/How_to_enable_SSL
Benoit Chesneau
Sep 26, 2012, 3:25:35 AM9/26/12
to us...@couchdb.apache.org
- benoît
Robert Newson
Sep 26, 2012, 6:07:32 AM9/26/12
to us...@couchdb.apache.org
To be honest, I would recommend using stunnel in front of CouchDB
instead of the built-in erlang SSL module.
B.
instead of the built-in erlang SSL module.
B.
Bill
Sep 26, 2012, 1:36:50 PM9/26/12
to us...@couchdb.apache.org
Dave Cottlehuber <dch@...> writes:
Hi Dave,
Thanks for the suggestions. I was able to verify both the checks you suggested.
I'm able to successfully run couchdb with a self-signed cert. And I used openssl
to confirm that the certs work, both with and without the -k option. Are there
any other checks you can recommend? I can post my log file errors in a few hours
when I get back home if people think that would be helpful.
The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2
so maybe there's a erlang problem associated with that version? Is there an
alternative to Single Server since it's discontinued? I would love to upgrade to
CouchDB 1.2 if I can do it without too much trouble. I've always just run
CouchDB with Single Server and hadn't had any issue until trying to get SSL
working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm
hesitant to build it myself. Is there a simple way to get a CouchDB server
running with v1.2 without building it myself.
Thanks,
Bill
Thanks for the suggestions. I was able to verify both the checks you suggested.
I'm able to successfully run couchdb with a self-signed cert. And I used openssl
to confirm that the certs work, both with and without the -k option. Are there
any other checks you can recommend? I can post my log file errors in a few hours
when I get back home if people think that would be helpful.
The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2
so maybe there's a erlang problem associated with that version? Is there an
alternative to Single Server since it's discontinued? I would love to upgrade to
CouchDB 1.2 if I can do it without too much trouble. I've always just run
CouchDB with Single Server and hadn't had any issue until trying to get SSL
working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm
hesitant to build it myself. Is there a simple way to get a CouchDB server
running with v1.2 without building it myself.
Thanks,
Bill
Dave Cottlehuber
Sep 26, 2012, 3:55:48 PM9/26/12
to us...@couchdb.apache.org
moved quite a bit in recent releases. Anyway I'd go with Bob's
recommendation on stunnel for production.
> alternative to Single Server since it's discontinued? I would love to upgrade to
> CouchDB 1.2 if I can do it without too much trouble. I've always just run
> CouchDB with Single Server and hadn't had any issue until trying to get SSL
> working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm
> hesitant to build it myself. Is there a simple way to get a CouchDB server
> running with v1.2 without building it myself.
There's mac & windows binaries on http://couchdb.apache.org/#download
and https://github.com/iriscouch/build-couchdb for the rest. We'll be
happy to help you through this -- once your toolchain is set up source
is not a big hassle. IRC is a good place for questions while you're
hacking away.
A+
Dave
Reply all
Reply to author
Forward
0 new messages