~$ erl +V Erlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 5.10.4
There was only the one error line in the couchdb logs. I just changed the log level to debug, no joy still just the one line: [Tue, 08 Dec 2015 16:44:25 GMT] [info] [<0.32.0>] Apache CouchDB has started on https://0.0.0.0:6984/ [Tue, 08 Dec 2015 16:44:35 GMT] [error] [<0.173.0>] SSL: hello: ssl_handshake.erl:154:Fatal error: internal error That stack overflow article matches the ssl error for the line, but it seems like red herring. We are on Ubuntu 14.04, its reported that the issue was fixed in 13.04. For completeness, the openssl version: ~$ openssl version OpenSSL 1.0.1f 6 Jan 2014 If I disable client verification the problem goes away. On 12/7/15, 6:35 PM, "Alexander Shorin" <[email protected]> wrote: >Hi, > >To make stack full, what is your Erlang version? Was the only one >error line in CouchDB logs you posted here? > >Few else thoughts: >isn't this Ubuntu openssl bug? >http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure > >-- >,,,^..^,,, > > >On Tue, Dec 8, 2015 at 4:58 AM, Michael Power ><[email protected]> wrote: >> Hello, >> >> I am trying to get couchdb to work with client certificates. I can’t seem >> to get it to work. I am getting an internal error from couchdb. >> >> Here is how I am currently trying to connect: >> >> openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key >> ~mpower/private/couchdb.key.pem -CAfile >> /etc/my-ca/couchdb/certs/ca-chain.cert.pem >> >> >> This is what I get in response: >> >> CONNECTED(00000003) >> >> 139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert >> internal error:s3_pkt.c:1262:SSL alert number 80 >> >> 139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:177: >> >> … >> >> >> >> I can see this in the couchdb log: >> >> [Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: >> ssl_handshake.erl:154:Fatal error: internal error >> >> >> I know my files work because I can run my own ssl server on the same port: >> >> openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem >> -cert /etc/couchdb/couchdb.cert.pem -CAfile >> /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2 >> >> >> >> For couchdb if I disable client certificates in the configuration everything >> works: >> >> verify_ssl_certificates = false >> >> >> openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key >> ~mpower/private/couchdb.key.pem -CAfile >> /etc/my-ca/couchdb/certs/ca-chain.cert.pem >> >> … >> >> hello >> >> HTTP/1.1 400 Bad Request >> >> Server: MochiWeb/1.0 (Any of you quaids got a smint?) >> >> Date: Tue, 08 Dec 2015 01:50:33 GMT >> >> Content-Length: 0 >> >> >> closed >> >> >> Here is what my ssl configuration looks like: >> >> [daemons] >> >> httpsd = {couch_httpd, start_link, [https]} >> >> [ssl] >> >> verify_ssl_certificates = true >> >> ssl_certificate_max_depth = 2 >> >> cert_file = /etc/couchdb/couchdb.cert.pem >> >> key_file = /etc/couchdb/private/couchdb.key.pem >> >> cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem >> >> >> Some other information: >> >> /etc/couchdb/local.d$ couchdb -V >> >> couchdb - Apache CouchDB 1.5.0 >> >> >> /etc/couchdb/local.d$ lsb_release -a >> >> No LSB modules are available. >> >> Distributor ID: Ubuntu >> >> Description: Ubuntu 14.04.1 LTS >> >> Release: 14.04 >> >> Codename: trusty >> >> >> /etc/couchdb/local.d$ dpkg -s couchdb >> >> Package: couchdb >> >> Status: install ok installed >> >> Priority: optional >> >> Section: misc >> >> Installed-Size: 95 >> >> Maintainer: Ubuntu Developers <[email protected]> >> >> Architecture: all >> >> Version: 1.5.0-0ubuntu1 >> >> Replaces: couchdb-bin (<= 1.0.1-0ubuntu18) >> >> Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart >> >> Conffiles: >> >> /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458 >> >> /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d >> >> /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511 >> >> Description: RESTful document oriented database - system-wide instance >> >> Apache CouchDB is a distributed, fault-tolerant and schema-free >> >> document-oriented database accessible via a RESTful HTTP/JSON API. Among >> other >> >> features, it provides robust, incremental replication with bi-directional >> >> conflict detection and resolution, and is queryable and indexable using a >> >> table-oriented view engine with JavaScript acting as the default view >> >> definition language. >> >> . >> >> CouchDB is written in Erlang, but can be easily accessed from any >> environment >> >> that provides means to make HTTP requests. There are a multitude of >> third-party >> >> client libraries that make this even easier for a variety of programming >> >> languages and environments. >> >> . >> >> This package adds the Upstart job and other items needed for a system-wide >> >> CouchDB instance that is started at boot. >> >> Homepage: http://couchdb.apache.org/ >> >> Original-Maintainer: Laszlo Boszormenyi (GCS) <[email protected]> >> >> >> What do I need to do to enable client certificates? >> >> >> Michael Power
