Dear Bill Stephenson, Thank you so much. So It was indeed the user/group, permissions set to the certificate files that were not being accessed by the couch to be run securely. Then I tried accessing fauxton over web using the port 6984 over ssl and it did not work. Turned out that the port needs to be opened on firewall. I am using centos7.
Best, Vimal -----Original Message----- From: Bill Stephenson <[email protected]> Sent: Thursday, December 5, 2019 2:15 AM To: [email protected] Subject: Re: CouchDB SSL issue External Email - Use Caution I have these notes on installing CouchDB with certbot to install an SSL cert on a DigitalOcean Ubuntu 16.04 vps. Maybe they will help... ## Configure SSL - Lets Encrypt sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo mkdir /opt/couchdb/letsencrypt sudo certbot certonly --webroot -w /var/www/cherrypc --config-dir /opt/couchdb/letsencrypt --logs-dir /var/log/couchdb -d cherrypc.com sudo chmod 600 /opt/couchdb/letsencrypt/live/cherrypc.com/cert.pem sudo chmod 600 /opt/couchdb/letsencrypt/live/cherrypc.com/privkey.pem sudo chmod 600 /opt/couchdb/letsencrypt/live/cherrypc.com/fullchain.pem sudo chown -R couchdb /opt/couchdb/letsencrypt/ sudo nano /opt/couchdb/etc/local.ini ## You will need to modify the following entries: [daemons] ; enable SSL support by uncommenting the following line and supply the PEM's below. ; the default ssl port CouchDB listens on is 6984 httpsd = {chttpd, start_link, [https]} [ssl] port = 6984 cert_file = /opt/couchdb/letsencrypt/live/azartiz.com/cert.pem key_file = /opt/couchdb/letsencrypt/live/azartiz.com/privkey.pem cacert_file = /opt/couchdb/letsencrypt/live/azartiz.com/fullchain.pem ## restart CouchDB — Kindest Regards, Bill Stephenson Tech Support www.cherrypc.com <http://www.ezinvoice.com/> 1-417-546-8390 > On Dec 4, 2019, at 2:15 PM, Narepalepu, Vimal Abhishek > <[email protected]> wrote: > > Hi, > > Using CouchDB 2.3.1. Configured the local.ini as below: > > [chttpd] > port = 5984 > bind_address = 0.0.0.0 > > [ssl] > enable = true > port = 6984 > cert_file = <path> > key_file = <path> > > The certificates are trusted signed. And now after restarting the couchdb > service and using "curl -v https://domain:6984"; gives the below error: > > * Trying IP ADDRESS... > * Connected to IP ADDRESS port 6984 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * NSS error -5938 (PR_END_OF_FILE_ERROR) > * Encountered end of file > * Closing connection 0 > curl: (35) Encountered end of file > > Tried above using https://localhost:6984 and still see the same error. > > From couch logs: > > [notice] 2chttpd_auth_cache changes listener died > database_does_not_exist at mem3_shards:load_shards_from_db/6(line:395) > <= mem3_shards:load_shards_from_disk/1(line:370) <= > mem3_shards:load_shards_from_disk/2(line:399) <= > mem3_shards:for_docid/3(line:86) <= fabric_doc_open:go/3(line:39) <= > httpd_auth_cache:ensure_auth_ddoc_exists/2(line:195) <= > chttpd_auth_cache:listen_for_changes/1(line:142) > [error] 2019-12-04T19:52:22.041264Z [email protected] emulator -------- Error > in process <0.9139.0> on node '[email protected]' with exit value: > {database_does_not_exist,[{mem3_shards,load_shards_from_db,"_users",[{ > file,"src/mem3_shards.erl"},{line,395}]},{mem3_shards,load_shards_from > _disk,1,[{file,"src/mem3_shards.erl"},{line,370}]},{mem3_shards,load_s > hards_from_disk,2,[{file,"src/mem3_shards.erl"},{line,399}]}, > {mem3_shards,for_docid,3,[{file,"src/mem3_shards.erl"},{line,86}]},{fa > bric_doc_open,go,3,[{file,"src/fabric_doc_open.erl"},{line,39}]}, > {chttpd_auth_cache,ensure_auth_ddoc_exists,2,[{file,"src/chttpd_auth_c > ache.erl"},{line,195}]},{chttpd_auth_cache,listen_for_changes,1,[{file > ,"src/chttpd_auth_cache.erl"},{line,142}]}]} > > > netstat -plnt command shows that it is listening on port 6984. "0 > 0.0.0.0:6984" > > Not sure if I am missing any configuration that is not allowing me to access > couchdb securely. > > > Best, > Vimal > > > > > The information in this e-mail is intended only for the person to whom > it is addressed. If you believe this e-mail was sent to you in error > and the e-mail contains patient information, please contact the > Partners Compliance HelpLine at http://www.partners.org/complianceline > . If the e-mail was sent to you in error but does not contain patient > information, please contact the sender and properly dispose of the e-mail.
