CBL SSL Certificates handling

[Alan McKean]

I am replicating over https and I get an error that my remote server is not trusted. It spits out a description of the certificate that the server is serving up. I have implemented handling the authentication challenges before, but I don't know how Couchbase Lite is using the certificate. Do I simply put my cert in credentials in the keychain for CBL to access it?

[Jens Alfke]

On Feb 28, 2014, at 12:19 PM, Alan McKean <alanm...@me.com> wrote:

I am replicating over https and I get an error that my remote server is not trusted.

If it’s using a certificate generated by a reputable CA, this shouldn’t happen. But it would occur if the server has a self-signed cert. In that case you’ll need to embed a copy of the server’s cert in your app, and at runtime register it as a trusted root cert. The easiest way to do that is by using +[CBLReplication setAnchorCerts:].

—Jens

[Alan McKean]

It’s a GeoTrust certificate:

<my.io.addr.ess> not trusted; cert chain follows:

12:17:47.251‖ WARNING*** :     www.mywebsite.net

12:17:47.251‖ WARNING*** :     GeoTrust DV SSL CA

12:17:47.251‖ WARNING*** :     GeoTrust Global CA

I’ll try setAnchorCerts:.

--
You received this message because you are subscribed to a topic in the Google Groups "Couchbase Mobile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mobile-couchbase/8DKVw6GfASY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mobile-couchba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/3E210615-4F37-4500-9D27-F18BCEBAC002%40couchbase.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jens Alfke]

On Feb 28, 2014, at 2:07 PM, Alan McKean <alanm...@me.com> wrote:

<my.io.addr.ess> not trusted; cert chain follows:

12:17:47.251‖ WARNING*** :     www.mywebsite.net

12:17:47.251‖ WARNING*** :     GeoTrust DV SSL CA

12:17:47.251‖ WARNING*** :     GeoTrust Global CA

I’m pretty sure GeoTrust is in the iOS root certs — I just looked in Keychain Access on my Mac (10.9.2) and there’s a “GeoTrust Global CA” root cert.

In that case there may be a hostname mismatch. If the hostname in the replication URL is different than the hostname in the server cert (“www.mywebsite.net” in your redacted log above) you’ll get this error.

Have you tried using ‘curl’ or a web browser to access the replication URL? They may give more detailed descriptions of what’s wrong.

—Jens

[Alan McKean]

I agree. I think it’s the host name in the certificate. The hostname in the certificate is the hostname of my web server, not the db server (that’s what I’m hitting now). I may need to get another certificate for the db server. It’s confusing though because it’s the same certificate that my web server gets from CouchDB when it hits CouchDB over SSL and it doesn’t complain.

--
You received this message because you are subscribed to a topic in the Google Groups "Couchbase Mobile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mobile-couchbase/8DKVw6GfASY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mobile-couchba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/01E9E376-7D7F-4BBB-BEBD-1A31E4AB852A%40couchbase.com.