What i would like to do:
Now I'm using a self signed SSL certificate which works wonderful. But I would like to replace them with an official one of lets encrypt
.
What i have (self signed certificate):
Here is a output of the important settings (local.ini) for ssl I have now:
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /etc/couchdb/certs/server.crt // these are my self made certificates
key_file = /etc/couchdb/certs/server.key // these are my self made certificates
; set to true to validate peer certificates
verify_ssl_certificates = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1
What i tried (Lets Encrypt):
After following the docs of lets encrypt i have a folder /etc/letsencrypt/live/[domain]
with following files:
-cert.pem // seems to be the public certificate
-chain.pem // seems to be the public certificate from the keychain
-fullchain.pem // seems to be the cert.pem + chain.pem
-privkey.pem // seems to be the private certificate
So I tried to replace the new certificates with the old ones in my local.ini
[ssl]
cert_file = /etc/letsencrypt/live/[domain]/cert.pem // new certificate
key_file = /etc/letsencrypt/live/[domain]/privkey.pem // new certificate
The Problem:
After a restart of CouchDB the Non SSL way Port 5984 still works. But with SSL on Port 6984 I get a connection reset error
in chrome. PS: I also use the same letsencrypt certificates for my nginx, where they are working perfect.
Any ideas?
Openssl debug information:
1) With SSL and Self Signed Certificate, I get a certificate printent and a lot of information i entered once.
2) Without SSL and letsencrypt openssl s_client -connect localhost:5984
CONNECTED(00000003)
140581663061872:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
3) With SSL and letsencrypt openssl s_client -connect localhost:6984
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Best Answer
with couchDB 1.6.x
copy the files
/etc/letsencrypt/archive/xxxx
in/var/lib/couchdb/cert1/
Check the access rights for CouchDB
Put the following values in
/usr/local/etc/couchdb/local.ini
. Note that the following folders match the above folder that was copied to.