I am running an Apache CouchDB instance (version 1.3.0) on an Ubuntu 12.10 server in the cloud (AWS). I am trying to get SSL working on my couchDB instance.
The basic SSL setup is very easy. I have placed my certificate and key in a directory and uncommented the following lines in my local.ini file
httpsd = {couch_httpd, start_link, [https]}
cert_file = /usr/local/etc/couchdb/certs/mycouchdbserver_cert.pem
key_file = /usr/local/etc/couchdb/certs/mycouchdbserver_key.pem
I have also made sure that the ownership on these files is correct.
This works fine, the couchDB server starts up, you can navigate to https://mycouchdbserver.com/_utils/ without a problem.
Testing using openssl
openssl s_client -showcerts -connect mycouchdbserver.com:443
Gives the correct result for standard SSL configuration
When testing the setup on the DigiCert website (the company the SSL certs were bought through - test link: http://www.digicert.com/help/) I get the following error:
The server is not sending the required intermediate certificate.
When purchasing the SSL certificate I obtained an intermediate certificate from DigiCert and have downloaded the root cert for DigiCert as well.
In the local.ini config file for couchDB you can use these with the following configuration fields:
verify_ssl_certificates = true
cacert_file = xxxx
My problem is that I cant get this to work and have tried every possible combination to get this to work. Here is what I have tried:
- Tried setting cacert_file to the intermediate cert from DigiCert
- Tried setting cacert_file to the root certificate in /etc/ssl/certs
- Tried adding the root cert from DigiCert website to /usr/shared/ca-certs/ and then running dpkg-reconfigure ca-certificates to install a new root certificate and setting cacert_file to that new pem encoded certificate in /etc/ssl/certs
- Tried combining the cert and intermediate cert in one file used for cert_file
- Tried combining the cert, intermediate cert and root cert into 1 pem file used for cert_file
All of the above throws errors in the couchDB log. Some give a mass amount of output in the errors logs but using number 3, I get
=ERROR REPORT==== 11-Jun-2013::11:35:30 ===
SSL: hello: ssl_handshake.erl:252:Fatal error: internal error
And testing with openssl I get
CONNECTED(00000003)
16871:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1099:SSL alert number 80
16871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Does anyone have any idea on how to use the verify_ssl_certificates, the root certificate and the intermediate certificate correctly with couchDB
I have read all documentation online and nothing has helped
Thanks in Advance Andrew