Hi, To make stack full, what is your Erlang version? Was the only one error line in CouchDB logs you posted here?
Few else thoughts: isn't this Ubuntu openssl bug? http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure -- ,,,^..^,,, On Tue, Dec 8, 2015 at 4:58 AM, Michael Power <[email protected]> wrote: > Hello, > > I am trying to get couchdb to work with client certificates. I can’t seem to > get it to work. I am getting an internal error from couchdb. > > Here is how I am currently trying to connect: > > openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key > ~mpower/private/couchdb.key.pem -CAfile > /etc/my-ca/couchdb/certs/ca-chain.cert.pem > > > This is what I get in response: > > CONNECTED(00000003) > > 139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert > internal error:s3_pkt.c:1262:SSL alert number 80 > > 139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: > > … > > > > I can see this in the couchdb log: > > [Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: > ssl_handshake.erl:154:Fatal error: internal error > > > I know my files work because I can run my own ssl server on the same port: > > openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert > /etc/couchdb/couchdb.cert.pem -CAfile > /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2 > > > > For couchdb if I disable client certificates in the configuration everything > works: > > verify_ssl_certificates = false > > > openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key > ~mpower/private/couchdb.key.pem -CAfile > /etc/my-ca/couchdb/certs/ca-chain.cert.pem > > … > > hello > > HTTP/1.1 400 Bad Request > > Server: MochiWeb/1.0 (Any of you quaids got a smint?) > > Date: Tue, 08 Dec 2015 01:50:33 GMT > > Content-Length: 0 > > > closed > > > Here is what my ssl configuration looks like: > > [daemons] > > httpsd = {couch_httpd, start_link, [https]} > > [ssl] > > verify_ssl_certificates = true > > ssl_certificate_max_depth = 2 > > cert_file = /etc/couchdb/couchdb.cert.pem > > key_file = /etc/couchdb/private/couchdb.key.pem > > cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem > > > Some other information: > > /etc/couchdb/local.d$ couchdb -V > > couchdb - Apache CouchDB 1.5.0 > > > /etc/couchdb/local.d$ lsb_release -a > > No LSB modules are available. > > Distributor ID: Ubuntu > > Description: Ubuntu 14.04.1 LTS > > Release: 14.04 > > Codename: trusty > > > /etc/couchdb/local.d$ dpkg -s couchdb > > Package: couchdb > > Status: install ok installed > > Priority: optional > > Section: misc > > Installed-Size: 95 > > Maintainer: Ubuntu Developers <[email protected]> > > Architecture: all > > Version: 1.5.0-0ubuntu1 > > Replaces: couchdb-bin (<= 1.0.1-0ubuntu18) > > Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart > > Conffiles: > > /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458 > > /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d > > /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511 > > Description: RESTful document oriented database - system-wide instance > > Apache CouchDB is a distributed, fault-tolerant and schema-free > > document-oriented database accessible via a RESTful HTTP/JSON API. Among > other > > features, it provides robust, incremental replication with bi-directional > > conflict detection and resolution, and is queryable and indexable using a > > table-oriented view engine with JavaScript acting as the default view > > definition language. > > . > > CouchDB is written in Erlang, but can be easily accessed from any environment > > that provides means to make HTTP requests. There are a multitude of > third-party > > client libraries that make this even easier for a variety of programming > > languages and environments. > > . > > This package adds the Upstart job and other items needed for a system-wide > > CouchDB instance that is started at boot. > > Homepage: http://couchdb.apache.org/ > > Original-Maintainer: Laszlo Boszormenyi (GCS) <[email protected]> > > > What do I need to do to enable client certificates? > > > Michael Power
