Ssl – How to configure SSL for CouchDB

couchdbsslubuntu-12.04

How do I configure Couchdb to use ssl, I've followed the instructions here with no success.

I generate my own self-signed certificate:

mkdir cert && cd cert
openssl genrsa > privkey.pem
openssl req -new -x509 -key privkey.pem -out mycert.pem -days 1095

I uncomment the relevent lines in /usr/local/etc/couchdb/local.ini

httpsd = {couch_httpd, start_link, [https]}

and point to my certificates

cert_file = /usr/local/etc/couchdb/certs/mycert.pem
key_file = /usr/local/etc/couchdb/certs/privkey.pem

But when I try test it

curl -k -v https://127.0.0.1:6984
* About to connect() to 127.0.0.1 port 6984 (#0)
*   Trying 127.0.0.1... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 127.0.0.1:6984 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984

I'm really not sure what is wrong.

Notes

I've installed couchdb 1.2 from source as per the instructions here.

Best Answer

So I executed the following commands:

# openssl genrsa -out localhost.key 2048

# openssl req -new -x509 -key localhost.key -out localhost.crt -days 3650 -subj /CN=localhost

After that, I configure the the local.ini as follow: (making sure that those certificate files are acessible from couchdb user):

[daemons]
httpsd = {couch_httpd, start_link, [https]}

[ssl]
cert_file = /opt/couchdb/etc/cert/localhost.crt
key_file = /opt/couchdb/etc/cert/localhost.key

When I run this command at my pc, this works fine:

curl -v -k https://localhost:6984/

Related Solutions

Ssl – Proper config for Couchdb + SSL Ubuntu. Getting error: curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984

So, here are the answers in case anyone comes across this in their own journey:

When you're setting SSL up in node, especially with SPDY, it asks for:

var options = {
  key: fs.readFileSync(__dirname + '/keys/spdy-key.pem'),
  cert: fs.readFileSync(__dirname + '/keys/spdy-cert.pem'),
  ca: fs.readFileSync(__dirname + '/keys/spdy-ca.pem'),
};

It seems that you can use the csr (certificate signing request) as the ca in the SSL setup for self-signed certificates. However, doing that on a production server, means that the certificate chain has problems (the certificate you bought, like RapidSSL, is chained to a lower-level certificate, like GeoTrust. The chain needs to go all the way back since GeoTrust is the one trusted by the browser.) If you don't do the ca file (intermediate certificate file) it's ok in most cases - it'll say that the chain is broken in https://www.ssllabs.com/ssltest but the browsers didn't seem to care. But the correct way is to put the intermediate certificate in the ca spot.

As for node and couch, the problem definitely was permissions. I added couchdb user to the deploy usergroup but since the permissions on the key files are 600, the group still doesn't have access. In my case, I just created a self-signed certificate specially for couchDB.

That means that I have to tell node to trust it by using this config flag:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

So now couch and node talk and use SSL.

As for some of the other questions:

Basic openssl usage seems to work fine with couchdb, so no issues with certain certificate types or anything like that I've come across

I cannot seem to turn on certificate verification for couch in this setup. I just get SSL: hello: tls_handshake.erl:285:Fatal error: internal error So leaving that set to false works

It seems that you can safely remove the http server from couchdb's couch.uri file (found at /var/run/couchdb/couch.uri) and just have the https one.

Hope this helps someone out,

Paul

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

Best Answer

Related Solutions

Ssl – Proper config for Couchdb + SSL Ubuntu. Getting error: curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

Related Topic