Re: 2.1.1 on macOS High Sierra (OS X 10.13)

[Renato]

Jan,

It was a missing library in the current OS X build that caused the issue. Until 
there is a new build that includes it, the fix is to install nspr via brew. 

see https://github.com/apache/couchdb/issues/979 


Renato.

> On Nov 14, 2017, at 2:59 PM, Renato  wrote:
> 
> Hi Jan,
> 
> Let me know which service to use. I currently reverted back to 2.1.1 upgraded 
> over an existing install but I have some logs collected from before. I was 
> planning to post this under issues, so here is what I have from before. If 
> you need more I would have to clean up everything again. 
> 
> 
> ## Steps to Reproduce (for bugs)
> 
> 
> 1. Remove old install: delete couch from app folder, delete preferences and 
> local.ini in users Library/Preferences folder, delete CouchDB folder from 
> users Library/Application Support/ folder
> 2.Download 2.1.1 for macOS (10.6+) using link on couchdb.apache.org 
> 
> 3. Follow installation instruction and install couch.
> 4. Start couch from app folder. Go to Fauxton and verify install. Replication 
> will fail. Open logs and you'll find:
> [error] 2017-11-14T14:48:00.049239Z couchdb@localhost <0.1143.0>  OS 
> Process Error <0.16731.0> :: {os_process_error,{exit_status,134}}
> [info] 2017-11-14T14:48:00.056837Z couchdb@localhost <0.218.0>  
> couch_proc_manager <0.16734.0> died normal
> 
> ## Context
> 
> Would like a clean install because after last upgrade to 2.1.1 replication 
> and writes wouldn't work any longer. I also had and still see every couple of 
> seconds chttpd_auth_cache errors in the logs.
> I need replication and all key functionality to work properly without errors.
> 
> 
>  Verification always fails with the error above. If you restart couch and 
> check the logs, you'll see also the following error repeating every couple of 
> seconds:
> 
> chttpd_auth_cache errors:
> [notice] 2017-11-14T15:17:30.596802Z couchdb@127.0.0.1 
>  <0.349.0>  chttpd_auth_cache changes 
> listener died database_does_not_exist at 
> mem3_shards:load_shards_from_db/6(line:403) <= 
> mem3_shards:load_shards_from_disk/1(line:378) <= 
> mem3_shards:load_shards_from_disk/2(line:407) <= 
> mem3_shards:for_docid/3(line:91) <= fabric_doc_open:go/3(line:38) <= 
> chttpd_auth_cache:ensure_auth_ddoc_exists/2(line:187) <= 
> chttpd_auth_cache:listen_for_changes/1(line:134)
> [error] 2017-11-14T15:17:30.596831Z couchdb@127.0.0.1 
>  emulator  Error in process <0.1072.0> on 
> node 'couchdb@127.0.0.1 ' with exit value:
> {database_does_not_exist,[{mem3_shards,load_shards_from_db,"_users",[{file,"src/mem3_shards.erl"},{line,403}]},{mem3_shards,load_shards_from_disk,1,[{file,"src/mem3_shards.erl"},{line,378}]},{mem3_shards,load_shards_from_disk,2,[{file,"src/mem3_shards.erl"},{line,407}]},{mem3_shards,for_docid,3,[{file,"src/mem3_shards.erl"},{line,91}]},{fabric_doc_open,go,3,[{file,"src/fabric_doc_open.erl"},{line,38}]},{chttpd_auth_cache,ensure_auth_ddoc_exists,2,[{file,"src/chttpd_auth_cache.erl"},{line,187}]},{chttpd_auth_cache,listen_for_changes,1,[{file,"src/chttpd_auth_cache.erl"},{line,134}]}]}
> 
> removing everything, doing a fresh install and starting couch without any 
> mods and not running the verification steps, gives you the same 
> chttpd_auth_cache error:
> 
> [notice] 2017-11-14T15:23:17.548437Z couchdb@localhost <0.330.0>  
> chttpd_auth_cache changes listener died database_does_not_exist at 
> mem3_shards:load_shards_from_db/6(line:403) <= 
> mem3_shards:load_shards_from_disk/1(line:378) <= 
> mem3_shards:load_shards_from_disk/2(line:407) <= 
> mem3_shards:for_docid/3(line:91) <= fabric_doc_open:go/3(line:38) <= 
> chttpd_auth_cache:ensure_auth_ddoc_exists/2(line:187) <= 
> chttpd_auth_cache:listen_for_changes/1(line:134)
> [error] 2017-11-14T15:23:17.548507Z couchdb@localhost emulator  Error 
> in process <0.729.0> on node couchdb@localhost with exit value:
> {database_does_not_exist,[{mem3_shards,load_shards_from_db,"_users",[{file,"src/mem3_shards.erl"},{line,403}]},{mem3_shards,load_shards_from_disk,1,[{file,"src/mem3_shards.erl"},{line,378}]},{mem3_shards,load_shards_from_disk,2,[{file,"src/mem3_shards.erl"},{line,407}]},{mem3_shards,for_docid,3,[{file,"src/mem3_shards.erl"},{line,91}]},{fabric_doc_open,go,3,[{file,"src/fabric_doc_open.erl"},{line,38}]},{chttpd_auth_cache,ensure_auth_ddoc_exists,2,[{file,"src/chttpd_auth_cache.erl"},{line,187}]},{chttpd_auth_cache,listen_for_changes,1,[{file,"src/chttpd_auth_cache.erl"},{line,134}]}]}
> 
> removing everything, doing a fresh install, changing the vm.args setting from 
> locahost to 127.0.0.1 and then starting couch still gives the 
> chttpd_auth_cache errors:
> 
> [info] 2017-11-14T15:27:27.783648Z couchdb@127.0.0.1 
>  <0.9.0>  Application couch_log started on 
> node 

Re: couch-hash-pwd

[Martin Broerse]

Thanks Renato,

I think we will use nginx and we are are exploring what our best setup will
be. We will probably go for a CentOS server with a docker CouchDB 2.1.1
nginx and haproxy. We are currently deploying all App's direct to CouchDB
with https://github.com/martinic/ember-cli-deploy-couchdb . I know we can
deploy with https://github.com/martinic/ember-cli-deploy-sftp to nginx but
it seems like a step back. Our current setup just works out of the box by
only setting a vhost.

Thanks for letting me know how you setup Lets Encrypt and CouchDB and it
good to hear it is working fine.

- Martin



On Fri, Nov 17, 2017 at 10:48 PM, Renato  wrote:

> Martin,
>
> Are you interested how to make docker work with let’s encrypt or how to
> make let’s encrypt and couchdb work together?
>
> If it’s the later, I have been using let’s encrypt with couchdb for a few
> months now. I run the let’s encrypt certbot client as a cronjob to auto
> renew the certs.
>
> Certbot doesn’t have a plugin for couchdb and runs as root with root only
> access restrictions on the certs. Unless you want to change the default
> permissions for couch to be able to read the certs in the let’s encrypt
> dir,  you need a script to copy the renewed certs to the couch cert dir.
>
> I’m using the deploy-hook for certbot and it works nicely. see:
> https://certbot.eff.org/docs/using.html#renewing-certificates <
> https://certbot.eff.org/docs/using.html#renewing-certificates>
>
> BTW: Even though I have couch configured with certs and it works, I use
> nginx as proxy and for ssl termination. It forwards to couch over the
> standard non tls port (just like Geoff’s load balancer setup below). I
> don’t want to allow unfiltered access to couch. Couch can only locally be
> accessed directly.
> You can use nginx as a load balancer as well. (I currently have a firewall
> in front of nginx and plan to place a load balancer in front of nginx as
> well). I use Nginx to serve the static files and to manage non-couch
> requests.
>
> Renato.
>
> PS: My servers are on ubuntu and dev on OS X.
>
> > On Nov 17, 2017, at 12:43 PM, Geoffrey Cox  wrote:
> >
> > Hi Martin,
> >
> > I personally use a $42/year wildcard certificate from AlphaSSL.
> > https://blog.alejandrocelaya.com/2016/08/16/setup-a-lets-
> encrypt-certificate-in-a-aws-elastic-load-balancer/
> > appears
> > to discuss a way of using letsencrypt with an AWS load balancer.
> >
> > Geoff
> >
> > On Thu, Nov 16, 2017 at 11:03 PM Martin Broerse <
> martin.broe...@gmail.com>
> > wrote:
> >
> >> Geoff,
> >>
> >> Thanks for this and the article. Do you use Lets Encrypt with this
> docker
> >> setup somewhere. I would like to read about that.
> >>
> >> - Martin
> >>
> >> On Thu, Nov 16, 2017 at 9:25 PM, Geoffrey Cox 
> wrote:
> >>
> >>> Hi!
> >>>
> >>> I just created a command line wrapper called couch-hash-pwd
> >>>  for couch-pwd-updated
> that
> >>> allows you to hash a CouchDB password from the command line.
> >>>
> >>> e.g. `$ couch-hash-pwd -p mysecret` outputs something like
> >>> *-pbkdf2-4a52aa4dc97b5d39498b33b1d563ff344ac08e1a,
> >>> 163fcff74d7cf643c2ae0d97f0b458bf,10*
> >>>
> >>> I've also added details to
> >>> Running a CouchDB 2.0 Cluster in Production on AWS with Docker
> >>>  >>> in-production-on-aws-with-docker-50f745d4bdbc>
> >>>
> >>> Special thanks to aphixsoftware and zemirco for creating the building
> >>> blocks!
> >>>
> >>> Geoff
> >>>
> >>
>
>

Re: couch-hash-pwd

[Renato]

Martin,

Are you interested how to make docker work with let’s encrypt or how to make 
let’s encrypt and couchdb work together?

If it’s the later, I have been using let’s encrypt with couchdb for a few 
months now. I run the let’s encrypt certbot client as a cronjob to auto renew 
the certs.

Certbot doesn’t have a plugin for couchdb and runs as root with root only 
access restrictions on the certs. Unless you want to change the default 
permissions for couch to be able to read the certs in the let’s encrypt dir,  
you need a script to copy the renewed certs to the couch cert dir. 
 
I’m using the deploy-hook for certbot and it works nicely. see:
https://certbot.eff.org/docs/using.html#renewing-certificates 


BTW: Even though I have couch configured with certs and it works, I use nginx 
as proxy and for ssl termination. It forwards to couch over the standard non 
tls port (just like Geoff’s load balancer setup below). I don’t want to allow 
unfiltered access to couch. Couch can only locally be accessed directly.
You can use nginx as a load balancer as well. (I currently have a firewall in 
front of nginx and plan to place a load balancer in front of nginx as well). I 
use Nginx to serve the static files and to manage non-couch requests.
 
Renato.

PS: My servers are on ubuntu and dev on OS X.

> On Nov 17, 2017, at 12:43 PM, Geoffrey Cox  wrote:
> 
> Hi Martin,
> 
> I personally use a $42/year wildcard certificate from AlphaSSL.
> https://blog.alejandrocelaya.com/2016/08/16/setup-a-lets-encrypt-certificate-in-a-aws-elastic-load-balancer/
> appears
> to discuss a way of using letsencrypt with an AWS load balancer.
> 
> Geoff
> 
> On Thu, Nov 16, 2017 at 11:03 PM Martin Broerse 
> wrote:
> 
>> Geoff,
>> 
>> Thanks for this and the article. Do you use Lets Encrypt with this docker
>> setup somewhere. I would like to read about that.
>> 
>> - Martin
>> 
>> On Thu, Nov 16, 2017 at 9:25 PM, Geoffrey Cox  wrote:
>> 
>>> Hi!
>>> 
>>> I just created a command line wrapper called couch-hash-pwd
>>>  for couch-pwd-updated that
>>> allows you to hash a CouchDB password from the command line.
>>> 
>>> e.g. `$ couch-hash-pwd -p mysecret` outputs something like
>>> *-pbkdf2-4a52aa4dc97b5d39498b33b1d563ff344ac08e1a,
>>> 163fcff74d7cf643c2ae0d97f0b458bf,10*
>>> 
>>> I've also added details to
>>> Running a CouchDB 2.0 Cluster in Production on AWS with Docker
>>> >> in-production-on-aws-with-docker-50f745d4bdbc>
>>> 
>>> Special thanks to aphixsoftware and zemirco for creating the building
>>> blocks!
>>> 
>>> Geoff
>>> 
>> 

Re: couch-hash-pwd

[Geoffrey Cox]

Hi Martin,

I personally use a $42/year wildcard certificate from AlphaSSL.
https://blog.alejandrocelaya.com/2016/08/16/setup-a-lets-encrypt-certificate-in-a-aws-elastic-load-balancer/
appears
to discuss a way of using letsencrypt with an AWS load balancer.

Geoff

On Thu, Nov 16, 2017 at 11:03 PM Martin Broerse 
wrote:

> Geoff,
>
> Thanks for this and the article. Do you use Lets Encrypt with this docker
> setup somewhere. I would like to read about that.
>
> - Martin
>
> On Thu, Nov 16, 2017 at 9:25 PM, Geoffrey Cox  wrote:
>
> > Hi!
> >
> > I just created a command line wrapper called couch-hash-pwd
> >  for couch-pwd-updated that
> > allows you to hash a CouchDB password from the command line.
> >
> > e.g. `$ couch-hash-pwd -p mysecret` outputs something like
> > *-pbkdf2-4a52aa4dc97b5d39498b33b1d563ff344ac08e1a,
> > 163fcff74d7cf643c2ae0d97f0b458bf,10*
> >
> > I've also added details to
> > Running a CouchDB 2.0 Cluster in Production on AWS with Docker
> >  > in-production-on-aws-with-docker-50f745d4bdbc>
> >
> > Special thanks to aphixsoftware and zemirco for creating the building
> > blocks!
> >
> > Geoff
> >
>