[GitHub] [couchdb] raulmartinezr opened a new issue #2966: TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation

Thu, 25 Jun 2020 01:30:24 -0700 


raulmartinezr opened a new issue #2966:
URL: https://github.com/apache/couchdb/issues/2966


   [NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ 
)
   
   ## Description
   I try to configure client certificate authentication in the following 
scenario with couchDB 3.1.0
   
   "Server" -> CouchDB (single-node)
   "Client" ->  CouchDB  (single-node) where I configure bidirecctional 
replication, to and from server Couch DB (push+pull)
   
   But it's failing. Messages found in logs....
   
   Client couchdb instance (the side which manages replication)
   
        TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA
   
   Server couchdb instance
   
        TLS server: In state certify received CLIENT ALERT: Fatal - Handshake 
Failure
   
   
   ## Steps to Reproduce
   
   - Configure client and server couchDB instances as described in environment
   - Configure replication in client instance (bidirecctional, push and pull)
   - Replication fails
   
   
   ## Expected Behaviour
   
   Replication should work. I tested connectivity with curl and openssl with 
the same setup, and both are working
   
   ```bash
    sudo curl --url https://192.168.1.66:6984/database/  \
   --key /opt/couchdb/etc/ssl/node-71.client.key.pem \
   --cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
    --cacert /opt/couchdb/etc/ssl/ca-chain.cert.pem --insecure
   {"error":"unauthorized","reason":"You are not authorized to access this db."}
   ```
   
   ```bash
   sudo openssl s_client  -connect 192.168.1.66:6984 \
   -key /opt/couchdb/etc/ssl/node-71.client.key.pem \
   -cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
   -CAfile /opt/couchdb/etc/ssl/ca-chain.cert.pem
   CONNECTED(00000005)
   ```
   
   
   ## Your Environment
   
   
   Client
   
         [ssl]
         enable = true
         cert_file = /opt/couchdb/etc/ssl/node-71.server.cert.pem
         key_file = /opt/couchdb/etc/ssl/node-71.server.key.pem
         verify_ssl_certificates = true
         fail_if_no_peer_cert = false
         cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
         [replicator]
         cert_file = /opt/couchdb/etc/ssl/node-71.client.cert.pem
         key_file = /opt/couchdb/etc/ssl/node-71.client.key.pem
         ;# Avoid hostanme check failed
         verify_ssl_certificates = false
         ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
         ssl_certificate_max_depth = 5
   
   Server
   
        [ssl]
        enable = true
        cert_file = /opt/couchdb/etc/ssl/node-66.server.cert.pem
        key_file = /opt/couchdb/etc/ssl/node-66.server.key.pem
        verify_ssl_certificates = true
        fail_if_no_peer_cert = true
        cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
        [replicator]
         cert_file = /opt/couchdb/etc/ssl/node-66.client.cert.pem
         key_file = /opt/couchdb/etc/ssl/node-66.client.key.pem
         verify_ssl_certificates = false
         ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
   
   
   * CouchDB version used: 3.1.0
   * Browser name and version:
   * Operating system and version: Ubuntu 18.04
   
   ## Additional Context
   
   [TIP]:  # ( Add any other context about the problem here. )
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to