Hello, I am trying to get couchdb to work with client certificates. I can’t seem to get it to work. I am getting an internal error from couchdb.
Here is how I am currently trying to connect: openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem -CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem This is what I get in response: CONNECTED(00000003) 139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL alert number 80 139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: … I can see this in the couchdb log: [Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: ssl_handshake.erl:154:Fatal error: internal error I know my files work because I can run my own ssl server on the same port: openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert /etc/couchdb/couchdb.cert.pem -CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2 For couchdb if I disable client certificates in the configuration everything works: verify_ssl_certificates = false openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem -CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem … hello HTTP/1.1 400 Bad Request Server: MochiWeb/1.0 (Any of you quaids got a smint?) Date: Tue, 08 Dec 2015 01:50:33 GMT Content-Length: 0 closed Here is what my ssl configuration looks like: [daemons] httpsd = {couch_httpd, start_link, [https]} [ssl] verify_ssl_certificates = true ssl_certificate_max_depth = 2 cert_file = /etc/couchdb/couchdb.cert.pem key_file = /etc/couchdb/private/couchdb.key.pem cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem Some other information: /etc/couchdb/local.d$ couchdb -V couchdb - Apache CouchDB 1.5.0 /etc/couchdb/local.d$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty /etc/couchdb/local.d$ dpkg -s couchdb Package: couchdb Status: install ok installed Priority: optional Section: misc Installed-Size: 95 Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Architecture: all Version: 1.5.0-0ubuntu1 Replaces: couchdb-bin (<= 1.0.1-0ubuntu18) Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart Conffiles: /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458 /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511 Description: RESTful document oriented database - system-wide instance Apache CouchDB is a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API. Among other features, it provides robust, incremental replication with bi-directional conflict detection and resolution, and is queryable and indexable using a table-oriented view engine with JavaScript acting as the default view definition language. . CouchDB is written in Erlang, but can be easily accessed from any environment that provides means to make HTTP requests. There are a multitude of third-party client libraries that make this even easier for a variety of programming languages and environments. . This package adds the Upstart job and other items needed for a system-wide CouchDB instance that is started at boot. Homepage: http://couchdb.apache.org/ Original-Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.hu> What do I need to do to enable client certificates? Michael Power