with ciphers = undefined tls_versions = undefined secure_renegotiate = undefined
no crash but curl -k https://127.0.0.1:6984/ curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984 Cordialement, Frédéric Audon Linkedin <https://fr.linkedin.com/in/audonfrederic> Facebook <https://www.facebook.com/frederic.audon> Twitter <https://twitter.com/Chavenay> fidjy.com 06 34 96 10 54 / 02 51 22 16 85 (perso) / 02 52 67 07 07 (bureau) 2017-03-15 12:08 GMT+01:00 Frédéric Audon <[email protected]>: > 2017-03-14 18:28 GMT+01:00 Myles Braithwaite 👾 <[email protected]>: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Frédéric Audon wrote: >> > I have couchDB 2.0 in single node. >> > >> > I have a crash with SSL >> > >> > [ssl] >> > cert_file = /etc/letsencrypt/archive/db1.fidjy.com/cert1.pem >> > key_file = /etc/letsencrypt/archive/db1.fidjy.com/privkey1.pem >> > ssl_certificate_max_depth = 1 >> > ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] >> > tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2'] >> > >> > [info] 2017-03-14T16:49:52.045429Z couchdb@localhost <0.204.0> -------- >> > Starting couch_sup >> > >> > [error] 2017-03-14T16:49:52.142392Z couchdb@localhost <0.235.0> >> -------- >> > CRASH REPORT Process (<0.235.0>) with 0 neighbors exited with reason: >> bad >> > argument in call to >> > mochiweb_socket:'-filter_broken_cipher_suites/1-fun-0-'/1(line:41) at >> > lists:'-filter/2-lc$^0/1-0-'/2(line:1284) <= >> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <= >> > mochiweb_socket:listen/4(line:20) <= >> > mochiweb_socket_server:listen/3(line:224) <= >> gen_server:init_it/6(line:306) >> > <= proc_lib:init_p_do_apply/3(line:237); initial_call: >> > {mochiweb_socket_server,init,['Argument__1']}, ancestors: >> > [couch_secondary_services,couch_sup,<0.203.0>], messages: [], links: >> > [<0.212.0>], dictionary: [], trap_exit: true, status: running, >> heap_size: >> > 1598, stack_size: 27, reductions: 1459 >> >> I think you also have to include the `cacert_file` to use Let's Encrypt, >> see documentation here: >> <http://docs.couchdb.org/en/2.0.0/config/http.html#ssl/cacert_file>. >> > > cacert_file > Path to file containing PEM encoded CA certificates (trusted certificates > used for verifying a peer certificate). May be omitted if you do not want > to verify the peer: > http://docs.couchdb.org/en/1.6.1/config/http.html#ssl/cacert_file > > >> Are you sure that the files >> `/etc/letsencrypt/archive/db1.fidjy.com/{cert1,privkey1,fullchain1}.pem` >> <http://db1.fidjy.com/%7Bcert1,privkey1,fullchain1%7D.pem> >> are all readably by CouchDB user? >> > > Yes, I checked > > >> >> Also this blog post, >> <https://medium.com/@silverbackdan/installing-couchdb-2-0- >> nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.c0kslhcj0> >> suggest using a proxy like Haproxy or Nginx to handle the SSL instead of >> CouchDB > > > I use couchdDB 1.6 with SSL. It works very well. > > >> . >> -----BEGIN PGP SIGNATURE----- >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQIcBAEBCAAGBQJYyCgiAAoJEKSaZN9bQjWQeyUQALy3cLB2FzJ1D9zl+okgyDBu >> lzpwOEgqu7vIJl7Z8KcQ9um96XNhL/nbNtYOkPjVhwcdic8TBx9BAgHHDNack4VF >> kCOWgIqVhWSX1YvWxi35Ckl47nhDjlSLrA1R06loWtsASq0L/75BMJb6fOvzESjZ >> ++K3436/YccptuOrjVoHVT42urybkcutwUqMv7ZmmB252S/gzmxtJGHKttHjZWbl >> V8n/Sle0/fjI15oqK2br/cY4c1VL8sQhojnIeEMxwvzgMi5Ka8BS/32fRctcVrdO >> PA0omwwCfvW079S3MuQxAb/xyj/RR18DgzHOwDJWlZuFUv7Kg0V9N3/bibb6VSQZ >> NwOlTwagpcktQebbO7a7exZQTToRHRXJ/Qu4+1ypeMEq/xsR4sPS/2TfoPiNVOrf >> 8zBu2VJuMcwxMyryptcwJILv6PN90Eg2i8FMbjIqOb8Z8Jn0BORZNFhd8ZoMksba >> a2f1xmmcF6vkOrH4Lx1APtRFQjayYHDMg/PdVZluOyobXya4PBFrkQPmJzCymHdC >> boKllXm2rrw21JI8C+DK1XMXS64yovinBcJ4fkbPIT31ese1T5svT0eCofmCFoGR >> jEDZquUHAXho9xxEROMuthNLBXSBb7JDsOCiOZ+KZdMQkBQ9xY3QroNIZCMZ4hAg >> WnuU0ynGZPIY7pJrU4KR >> =W0S3 >> -----END PGP SIGNATURE----- >> >> >
