Hello,
I am trying to get couchdb to work with client certificates. I can’t seem to
get it to work. I am getting an internal error from couchdb.
Here is how I am currently trying to connect:
openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key
~mpower/private/couchdb.key.pem -CAfile
/etc/my-ca/couchdb/certs/ca-chain.cert.pem
This is what I get in response:
CONNECTED(00000003)
139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert
internal error:s3_pkt.c:1262:SSL alert number 80
139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
…
I can see this in the couchdb log:
[Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello:
ssl_handshake.erl:154:Fatal error: internal error
I know my files work because I can run my own ssl server on the same port:
openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert
/etc/couchdb/couchdb.cert.pem -CAfile
/etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2
For couchdb if I disable client certificates in the configuration everything
works:
verify_ssl_certificates = false
openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key
~mpower/private/couchdb.key.pem -CAfile
/etc/my-ca/couchdb/certs/ca-chain.cert.pem
…
hello
HTTP/1.1 400 Bad Request
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Tue, 08 Dec 2015 01:50:33 GMT
Content-Length: 0
closed
Here is what my ssl configuration looks like:
[daemons]
httpsd = {couch_httpd, start_link, [https]}
[ssl]
verify_ssl_certificates = true
ssl_certificate_max_depth = 2
cert_file = /etc/couchdb/couchdb.cert.pem
key_file = /etc/couchdb/private/couchdb.key.pem
cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem
Some other information:
/etc/couchdb/local.d$ couchdb -V
couchdb - Apache CouchDB 1.5.0
/etc/couchdb/local.d$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
/etc/couchdb/local.d$ dpkg -s couchdb
Package: couchdb
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 95
Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
Architecture: all
Version: 1.5.0-0ubuntu1
Replaces: couchdb-bin (<= 1.0.1-0ubuntu18)
Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart
Conffiles:
/etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458
/etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d
/etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511
Description: RESTful document oriented database - system-wide instance
Apache CouchDB is a distributed, fault-tolerant and schema-free
document-oriented database accessible via a RESTful HTTP/JSON API. Among other
features, it provides robust, incremental replication with bi-directional
conflict detection and resolution, and is queryable and indexable using a
table-oriented view engine with JavaScript acting as the default view
definition language.
.
CouchDB is written in Erlang, but can be easily accessed from any environment
that provides means to make HTTP requests. There are a multitude of third-party
client libraries that make this even easier for a variety of programming
languages and environments.
.
This package adds the Upstart job and other items needed for a system-wide
CouchDB instance that is started at boot.
Homepage: http://couchdb.apache.org/
Original-Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.hu>
What do I need to do to enable client certificates?
Michael Power
