Thank you Sinan. I forgot to mention that I am running Ubuntu 14.04 64bit with the latest CouchDB (1.6.1) built from source. I used the build process on this page: https://cwiki.apache.org/confluence/display/COUCHDB/Ubuntu <https://cwiki.apache.org/confluence/display/COUCHDB/Ubuntu>
Does anyone know why the latest Ubuntu 14.04 would present SSL issues in CouchDB? -- Paul Okstad > On Nov 13, 2014, at 12:06 AM, Sinan Gabel <[email protected]> wrote: > > Hi! > > A non-answer: > > For me it works on Ubuntu 13.04 (towards all main browsers) as described > in: > http://docs.couchdb.org/en/latest/config/http.html#secure-socket-level-options > > > However when I switch to Ubuntu 14.04 I can't get it to work, so on Ubuntu > 14.04 I have actually set up an nginx load balancer to handle SSL instead > (as I needed the load balancer anyway). > > Br, Sinan > > On 13 November 2014 01:54, Paul Okstad <[email protected]> wrote: > >> I would really appreciate any help from anyone with experience configuring >> CouchDB with SSL. >> >> I wrote a detailed write up on the wiki describing the process I used to >> create my keys and certs and configure CouchDB to use them: >> >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146 >> <https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146 >>> >> >> This problem originally occurred with certs I had signed by RapidSSL. I >> then tried signed certs from the free Comodo service detailed in the wiki. >> Both companies had the same issue in Firefox and Chrome. >> >> At the bottom of the wiki page is a listing of the errors I get. Here’s >> what’s happening: >> >> 1. HTTPS works fine in Safari on OS X and iOS >> 2. SSLShopper.com <http://sslshopper.com/> SSL checker tool indicates my >> domain is fine: >> https://www.sslshopper.com/ssl-checker.html#hostname=api.hardcodedstudios.com:6984 >> < >> https://www.sslshopper.com/ssl-checker.html#hostname=api.hardcodedstudios.com:6984 >>> >> 3. Does NOT work in Firefox (latest) >> 4. Does NOT work in Chrome (latest) >> 5. Couchbase Lite for iOS throws errors when using the HTTPS connection >> for replication: >> >> Replication: CBL_Puller[https://username:*****@ >> api.hardcodedstudios.com:6984/u_username] took 0.744 sec; error=Error >> Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure >> connection to the server cannot be made." UserInfo=0x7a9825c0 >> {NSLocalizedDescription=An SSL error has occurred and a secure connection >> to the server cannot be made., NSLocalizedRecoverySuggestion=Would you like >> to connect to the server anyway?, _kCFStreamErrorCodeKey=-9800, >> NSErrorFailingURLStringKey=https://username:*****@ >> api.hardcodedstudios.com:6984/u_username/_local/f0f04e52a0ace2008a4c30767a46d2a52502c9d1, >> _kCFStreamErrorDomainKey=3, >> NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7a880180>, >> NSUnderlyingError=0x7a838740 "An SSL error has occurred and a secure >> connection to the server cannot be made.", >> NSErrorFailingURLKey=https://username:*****@ >> api.hardcodedstudios.com:6984/u_username/_local/f0f04e52a0ace2008a4c30767a46d2a52502c9d1 >> }) >> >> 6. Curl on OS X reports the following issue: >> >> $ curl https://api.hardcodedstudios.com:6984 >> curl: (35) Unknown SSL protocol error in connection to >> api.hardcodedstudios.com:-9800 >> >> BUT, on Linux it returns successfully! >> >> 7. OpenSSL inspection reveals the following: >> >> $ openssl s_client -showcerts -connect api.hardcodedstudios.com:6984 >> CONNECTED(00000003) >> depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >> External CA Root >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> --- >> Certificate chain >> 0 s:/OU=Domain Control Validated/OU=Free SSL/CN=api.hardcodedstudios.com >> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >> RSA Domain Validation Secure Server CA >> -----BEGIN CERTIFICATE----- >> MIIFajCCBFKgAwIBAgIRAOAPkdtrXA0pEXXJxdvmw1EwDQYJKoZIhvcNAQELBQAw >> gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO >> BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD >> VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg >> Q0EwHhcNMTQxMTEyMDAwMDAwWhcNMTUwMjEwMjM1OTU5WjBZMSEwHwYDVQQLExhE >> b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMSEwHwYD >> VQQDExhhcGkuaGFyZGNvZGVkc3R1ZGlvcy5jb20wggEiMA0GCSqGSIb3DQEBAQUA >> A4IBDwAwggEKAoIBAQChjxfOHkVil17puJBvNEUczbIJ7F9FhV+QX6xzOrjIG+4s >> 7YmcT6Dn1YrggZQBQqdGdbFY7UHnUQaBeMN+i64xzLunGMftRCV7zEqDZkeO431u >> gxJdpDsYIhcPWiWQN8FirOGi9cnxoKYd4rdS4zroY0Eq2/MHo4qCBr/zxIBL2Smc >> 12r/prPrpWqr0CTVP7xLR1J5CsZEReQJBbEHWU1dwDnq1iFVKDnuJASiiXw/D51D >> SOEL5IPJlrQv1L9hcp801k2d6atm2xRfOpIONoAKExVxA2pi/mpJ03MI9PxS+TPs >> dMQDmks3D3hCd8ycAj++iwzNf62VYH+P8BujcaDRAgMBAAGjggHzMIIB7zAfBgNV >> HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUJ17FcWtMxO/e >> 3s6f0VVbXVouJe0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l >> BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC >> AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw >> CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu >> Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww >> gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j >> YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy >> dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMEEGA1UdEQQ6 >> MDiCGGFwaS5oYXJkY29kZWRzdHVkaW9zLmNvbYIcd3d3LmFwaS5oYXJkY29kZWRz >> dHVkaW9zLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAf4NpZf8D6kepp+ocX/sSz4uF >> J2fRXyjBVaEZBIknBloamrabXJ+T5k3uFfnOZp5Z4RYk5h1G2gymraQ+lrB/rOg9 >> exL44CaqfHKx4LNPzxftlhctGIo71s/joxcMv2n5H+CQom9MOdNSf9cwQXG8jF2C >> zAZLGQZCWeB7w4I51hOiAMen+HOJ/RnMQEp8vrcnFeTU5WCt2fwLJ5k1X/fn/JDj >> aVmCXeKb7xMJDvsaTRdJkF/VnXmHIwaOSTR/azVDd3teA8FsWoGWKaLK6PpuHPUR >> VSysIOSUcdoOXYxknMt+9xNWD0d4ssVAG/Dei1DkaNwAGPdRZU8r19+BQ/AeZg== >> -----END CERTIFICATE----- >> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >> RSA Domain Validation Secure Server CA >> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >> RSA Certification Authority >> -----BEGIN CERTIFICATE----- >> MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB >> hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G >> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV >> BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy >> MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT >> EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR >> Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh >> bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP >> ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh >> bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 >> Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 >> ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 >> UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n >> c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY >> MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz >> 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV >> HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG >> BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv >> bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB >> AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E >> T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v >> ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p >> mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ >> e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps >> P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY >> dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc >> 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG >> V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 >> HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX >> j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII >> 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap >> lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf >> +AZxAeKCINT+b72x >> -----END CERTIFICATE----- >> 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >> RSA Certification Authority >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >> External CA Root >> -----BEGIN CERTIFICATE----- >> MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv >> MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk >> ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF >> eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow >> gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO >> BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD >> VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq >> hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw >> AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 >> 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr >> ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt >> 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq >> m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ >> vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT >> 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE >> IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO >> KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO >> GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ >> s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g >> JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD >> AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 >> MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy >> bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 >> Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ >> zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj >> Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY >> Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 >> B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx >> PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR >> pu/xO28QOG8= >> -----END CERTIFICATE----- >> 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >> External CA Root >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >> External CA Root >> -----BEGIN CERTIFICATE----- >> MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU >> MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs >> IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 >> MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux >> FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h >> bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v >> dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt >> H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 >> uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX >> mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX >> a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN >> E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 >> WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD >> VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 >> Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU >> cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx >> IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN >> AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH >> YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 >> 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC >> Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX >> c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a >> mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/OU=Domain Control Validated/OU=Free SSL/CN= >> api.hardcodedstudios.com >> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >> RSA Domain Validation Secure Server CA >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 6121 bytes and written 328 bytes >> --- >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >> Server public key is 2048 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: >> EFD5FF948B7E92D0814CF39EBA936C3BE7A9AA150BBAA046954870A96E247B40 >> Session-ID-ctx: >> Master-Key: >> 3772949939CCD6FC882EC5D3F08EBEFF881C86CE0E7B4E229D4CD9D84070D2CF3C3A6357E28982363D3B3950F0C74920 >> Key-Arg : None >> Start Time: 1415839230 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> >> >> >> >> -- >> Paul Okstad >> >> >> >>
