On 26 September 2012 19:36, Bill <[email protected]> wrote: > Dave Cottlehuber <dch@...> writes: > >> >> On 26 September 2012 05:20, Bill <bill.foshay@...> wrote: >> > I'm using CouchDB 1.1 and running into an issue configuring it for SSL. I > have >> > a certificate from GoDaddy that I'm trying to use. I put the cert, two >> > intermediate GoDaddy certs, and the GoDaddy root cert in a poem file. I >> > specified the path to that file in the "cert_file" entry in the couchdb > config. I >> > also set up the "key_file" entry to point to my key file. However, after >> > restarting couchdb, ssl is unable to connect. When I try >> > >> > curl -v https://myserver:6984/ >> > >> > I get the following message >> > >> > * About to connect() to myserver port 6984 (#0) >> > * Trying myserer... connected >> > * Connected to myserver (myserver) port 6984 (#0) >> > * Initializing NSS with certpath: /etc/pki/nssdb >> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt >> > CAPath: none >> > * NSS error -5938 >> > Closing connection #0 >> > * SSL connect error >> > >> > It's able to connect without SSL just fine. Does anyone have any idea what > I'm >> > doing wrong or tips to get this working? >> > >> > Thanks, >> > Bill >> > >> >> Hi Bill, >> >> I would suggest 2 things to check[1]: >> >> - use the mochiweb test certs to confirm that you've got couchdb set >> up correctly >> - confirm your certs work using openssl, both with & without the -k >> option (validity chain) >> >> It's possible that you are running into one of the limitations of >> various erlang versions, I am not up to speed but I'd suggest >> re-testing with R15B02 once the first checks are working. Do keep us >> posted so we can keep the wiki up to date. >> >> A+ >> Dave >> >> [1]: http://wiki.apache.org/couchdb/How_to_enable_SSL >> >> > > Hi Dave, > > Thanks for the suggestions. I was able to verify both the checks you > suggested. > I'm able to successfully run couchdb with a self-signed cert. And I used > openssl > to confirm that the certs work, both with and without the -k option. Are there > any other checks you can recommend? I can post my log file errors in a few > hours > when I get back home if people think that would be helpful. > > The version of CouchDB I'm using was bundled with Couchbase Single Server v1.2 > so maybe there's a erlang problem associated with that version? Is there an
It's likely quite an old release, so maybe - hard to say. OTP has moved quite a bit in recent releases. Anyway I'd go with Bob's recommendation on stunnel for production. > alternative to Single Server since it's discontinued? I would love to upgrade > to > CouchDB 1.2 if I can do it without too much trouble. I've always just run > CouchDB with Single Server and hadn't had any issue until trying to get SSL > working with this GoDaddy cert. I'm pretty much a newbie to CouchDB so I'm > hesitant to build it myself. Is there a simple way to get a CouchDB server > running with v1.2 without building it myself. What's your platform? There's mac & windows binaries on http://couchdb.apache.org/#download and https://github.com/iriscouch/build-couchdb for the rest. We'll be happy to help you through this -- once your toolchain is set up source is not a big hassle. IRC is a good place for questions while you're hacking away. A+ Dave
