That was the single most problematic CouchDB commit I have ever had to deal with. (Bob's work was fine; but it forced an introduction I regretted having.)
On Wed, Jun 12, 2013 at 9:03 PM, Robert Newson <[email protected]> wrote: > and by "never", I strictly mean "for a very brief period where I added > native SSL support to CouchDB in 2010". > > B. > > > On 12 June 2013 15:01, Robert Newson <[email protected]> wrote: > > I'd recommend haproxy 1.5 anyway, I've never been a big fan of > > erlang's built-in SSL support (and it has a fairly yucky history of > > bugs). > > > > B. > > > > > > On 11 June 2013 16:48, Andrew Kew <[email protected]> wrote: > >> Hi > >> > >> I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu > 12.10 server in the cloud (AWS). I am trying to get SSL working on my > couchDB instance. > >> > >> The basic SSL setup is very easy. I have placed my certificate and key > in a directory and uncommented the following lines in my local.ini file > >> > >> httpsd = {couch_httpd, start_link, [https]} > >> cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem > >> key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem > >> I have also made sure that the ownership on these files is correct. > >> > >> This works fine, the couchDB server starts up, you can navigate to > https://mycouchdbserver.com/_utils/ without a problem. > >> > >> Testing using openssl > >> > >> openssl s_client -showcerts -connect mycouchdbserver.com:443 > >> Gives the correct result for standard SSL configuration > >> > >> When testing the setup on the DigiCert website (the company the SSL > certs were bought through - test link: http://www.digicert.com/help/) I > get the following error: > >> > >> The server is not sending the required intermediate certificate. > >> > >> When purchasing the SSL certificate I obtained an intermediate > certificate from DigiCert and have downloaded the root cert for DigiCert as > well. > >> > >> In the local.ini config file for couchDB you can use these with the > following configuration fields: > >> > >> verify_ssl_certificates = true > >> cacert_file = xxxx > >> My problem is that I cant get this to work and have tried every > possible combination to get this to work. Here is what I have tried: > >> > >> Tried setting cacert_file to the intermediate cert from DigiCert > >> Tried setting cacert_file to the root certificate in /etc/ssl/certs > >> Tried adding the root cert from DigiCert website to > /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to > install a new root certificate and setting cacert_file to that new pem > encoded certificate in /etc/ssl/certs > >> Tried combining the cert and intermediate cert in one file used for > cert_file > >> Tried combining the cert, intermediate cert and root cert into 1 pem > file used for cert_file > >> All of the above throws errors in the couchDB log. Some give a mass > amount of output in the errors logs but using number 3, I get > >> > >> =ERROR REPORT==== 11-Jun-2013::11:35:30 === > >> SSL: hello: ssl_handshake.erl:252:Fatal error: internal error > >> > >> And testing with openssl I get > >> > >> CONNECTED(00000003) > >> 16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal > error:s3_pkt.c:1099:SSL alert number 80 > >> 16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > >> > >> Does anyone have any idea on how to use the verify_ssl_certificates, > the root certificate and the intermediate certificate correctly with couchDB > >> > >> I have read all documentation online and nothing has helped > >> > >> Thanks in Advance > >> > >> Andrew > >> > >> > >> ______________________________________________________________________ > >> This email has been scanned by the Symantec Email Security.cloud > service. > >> For more information please visit http://www.symanteccloud.com > >> ______________________________________________________________________ >
