CouchDB crashing with SSL
665 views
Skip to first unread message
Raja
Apr 27, 2016, 1:58:51 PM4/27/16
to us...@couchdb.apache.org
Hi
We recently enabled SSL on CouchDB 1.6.1. Suddenly, it seems to be throwing
errors in the log when viewing even the main url on Futon. The errors are
shown in
https://gist.github.com/rajasaur/747ca711810c22e7780b3288c659f216
1. This was working till last week (http also works perfectly now).
2. Doing a curl seems to make it work:
curl -XGET https://user:password@server:6984
returns {"couchdb":"Welcome","uuid":"de859c6bd13c708e759abc283f67f3c4","version":"1.6.1","vendor":{"version":"1.6.1","name":"The
Apache Software Foundation"}}
but hitting https://<server>:6984 on the browser throws the above mentioned
stack trace. Why would it fail using a browser but not with curl. Doing a
verbose with Curl indicated that it was negotiating using TLS 1.2
connection. I tried to force using --tlsv1.0, --tlsv1.1 and --tlsv1.2 to
curl to see if I can simulate the browser failure but it worked fine in all
cases.
3. Setup local.ini to have tls_version = [ 'tlsv1.2' ], but same result.
Browsing some of the older discussions suggests a upgrade of Erl (we use
Erlang OTP/R16B03-1). Is there anything else I should be looking before
going the upgrade route?
Thanks a lot for the help
Raja
We recently enabled SSL on CouchDB 1.6.1. Suddenly, it seems to be throwing
errors in the log when viewing even the main url on Futon. The errors are
shown in
https://gist.github.com/rajasaur/747ca711810c22e7780b3288c659f216
1. This was working till last week (http also works perfectly now).
2. Doing a curl seems to make it work:
curl -XGET https://user:password@server:6984
returns {"couchdb":"Welcome","uuid":"de859c6bd13c708e759abc283f67f3c4","version":"1.6.1","vendor":{"version":"1.6.1","name":"The
Apache Software Foundation"}}
but hitting https://<server>:6984 on the browser throws the above mentioned
stack trace. Why would it fail using a browser but not with curl. Doing a
verbose with Curl indicated that it was negotiating using TLS 1.2
connection. I tried to force using --tlsv1.0, --tlsv1.1 and --tlsv1.2 to
curl to see if I can simulate the browser failure but it worked fine in all
cases.
3. Setup local.ini to have tls_version = [ 'tlsv1.2' ], but same result.
Browsing some of the older discussions suggests a upgrade of Erl (we use
Erlang OTP/R16B03-1). Is there anything else I should be looking before
going the upgrade route?
Thanks a lot for the help
Raja
Raja
Apr 28, 2016, 8:05:40 AM4/28/16
to us...@couchdb.apache.org
Upgrading to Erlang 18 solved this issue. I can successfully connect from
my browsers as well as Couchbase Lite.
--
Raja
rajasaur at gmail.com
my browsers as well as Couchbase Lite.
Raja
rajasaur at gmail.com
Sinan Gabel
Apr 28, 2016, 8:51:14 AM4/28/16
to us...@couchdb.apache.org
Sounds good, else place e.g. Nginx with SSL in front of CouchDB.
Best,
Sinan
Best,
Sinan
cou...@lechat.org
Oct 6, 2016, 5:12:57 AM10/6/16
to us...@couchdb.apache.org
Hi,
I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
Everything works fine with http 5984, great couchdb ! Thank you all for
your long and hard work !
But when I uncomment local.ini line :
httpsd = {couch_httpd, start_link, [https]}
and putting ssl cert_file and key_file path in config as described in docs,
couchdb won't start anymore and crash immediately with this log :
[error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> --------
Supervisor couch_secondary_services had child httpsd started with
couch_httpd:start_link(https) at undefined exit with reason
{'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}}
in context start_error
I'have triple checked all file permissions of cert files and path to be
sure the issue is not on this side.
Does somebody could point me in a direction to understand what is
happening ? Bad arg undefined '.' is not really understandable.
Thank you by advance if somebody can help.
Regards,
Thierry.
I made a fresh installation of couchdb2.0 on Debian 4.9.2-10
Everything works fine with http 5984, great couchdb ! Thank you all for
your long and hard work !
But when I uncomment local.ini line :
httpsd = {couch_httpd, start_link, [https]}
and putting ssl cert_file and key_file path in config as described in docs,
couchdb won't start anymore and crash immediately with this log :
[error] 2016-10-06T08:43:32.412024Z couchdb@localhost <0.213.0> --------
Supervisor couch_secondary_services had child httpsd started with
couch_httpd:start_link(https) at undefined exit with reason
{'EXIT',{badarg,[{erlang,'++',[undefined,"."],[]},{couch_util,parse_term,1,[{file,"src/couch_util.erl"},{line,164}]},{couch_httpd,start_link,1,[{file,"src/couch_httpd.erl"},{line,46}]},{supervisor,do_start_child,2,[{file,"supervisor.erl"},{line,314}]},{supervisor,start_children,3,[{file,"supervisor.erl"},{line,297}]},{supervisor,init_children,2,[{file,"supervisor.erl"},{line,263}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,306}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},...]}]}}
in context start_error
I'have triple checked all file permissions of cert files and path to be
sure the issue is not on this side.
Does somebody could point me in a direction to understand what is
happening ? Bad arg undefined '.' is not really understandable.
Thank you by advance if somebody can help.
Regards,
Thierry.
cou...@lechat.org
Oct 6, 2016, 5:24:34 AM10/6/16
to us...@couchdb.apache.org
ooppps, sure it's Debian 8.4 ... running in lxc container/pve 4.9.2-10
Regards,
Thierry
Regards,
Thierry
Robert Samuel Newson
Oct 7, 2016, 2:59:15 PM10/7/16
to user
This is a bug in 2.0 that's been fixed already (COUCHDB-3162), but here's a workaround;
in local.ini add;
[ssl]
ciphers = undefined
tls_versions = undefined
secure_renegotiate = undefined
This will give you the default settings. You can obviously customise these to suit.
NOTE: the default cipher suite that erlang will give will not give you the best rating from ssllabs.com, you'll need to exclude weaker options to get to A- grade.
in local.ini add;
[ssl]
ciphers = undefined
tls_versions = undefined
secure_renegotiate = undefined
This will give you the default settings. You can obviously customise these to suit.
NOTE: the default cipher suite that erlang will give will not give you the best rating from ssllabs.com, you'll need to exclude weaker options to get to A- grade.
cou...@lechat.org
Oct 7, 2016, 8:05:55 PM10/7/16
to us...@couchdb.apache.org
Hi Robert,
Thanks a lot for your quick reply, I can confirm that this is now
starting with these three settings in local.ini
My plan is to put couchdb behind a load balancer, so I'm not worry abour
ssllabs test but thank you for this information.
One more things, httpds doesn't take in account the bind_adress
directive put in [chttpd]. It stays with localhost.
I tried to add bind_adress = 0.0.0.0 in [ssl] or in [chttpds] but no
success.
Is there another directive or section to bind ssl port 6984 to oustide
world (-; ?
Thank you again.
Regrads,
Thierry
Thanks a lot for your quick reply, I can confirm that this is now
starting with these three settings in local.ini
My plan is to put couchdb behind a load balancer, so I'm not worry abour
ssllabs test but thank you for this information.
One more things, httpds doesn't take in account the bind_adress
directive put in [chttpd]. It stays with localhost.
I tried to add bind_adress = 0.0.0.0 in [ssl] or in [chttpds] but no
success.
Is there another directive or section to bind ssl port 6984 to oustide
world (-; ?
Thank you again.
Regrads,
Thierry
Robert Samuel Newson
Oct 8, 2016, 3:06:21 PM10/8/16
to user
it does if you declare the right module;
you have;
httpsd = {couch_httpd, start_link, [https]}
but you need
httpsd = {chttpd, start_link, [https]}
B.
you have;
httpsd = {couch_httpd, start_link, [https]}
httpsd = {chttpd, start_link, [https]}
B.
Reply all
Reply to author
Forward
0 new messages