1

I basically have exactly the same issue as configure CouchDB with Lets Encrypt SSL certificate, so have followed this answer. But it's still not working.

I've started with the Bitnami CouchDB VM on Azure, so CouchDB 3.3.1 is already set up (on Debian 10) and working fine over HTTP on port 5984. I'm using certbot to obtain the certificates and have set up the post-renewal hook to copy them and change the owner to couchdb. I've updated CouchDB's local.ini file to configure support for SSL:

[httpd]
bind_address = 0.0.0.0

[daemons]
httpsd = {couch_httpd, start_link, [https]}

[ssl]
enable = true
cert_file = /opt/bitnami/couchdb/etc/certs/cert.pem
key_file = /opt/bitnami/couchdb/etc/certs/privkey.pem
cacert_file = /opt/bitnami/couchdb/etc/certs/fullchain.pem

Once the CouchDB service is restarted, I can see

[info] 2021-03-25T21:25:38.726431Z couchdb@127.0.0.1 <0.239.0> -------- Apache CouchDB has started on https://0.0.0.0:6984/

in the logs, so it looks like CouchDB is happy with the setup.

Using netstat -tulnp, I see:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5984            0.0.0.0:*               LISTEN      990/beam.smp
tcp        0      0 0.0.0.0:6984            0.0.0.0:*               LISTEN      990/beam.smp
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      990/beam.smp

so it looks like the port is open and being listened to (PID 990 is CouchDB). I've also made sure that the Azure network security group has an inbound rule set up for port 6984.

But it's still not connecting - openssl s_client -connect <server_domain>:6984 -servername <server_domain> displays:

CONNECTED(00000004)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

ufw doesn't appear to be installed (so the other answer in that question isn't relevant) and there are no errors in the CouchDB logs when I try to connect. I've even tried replacing the certificates temporarily with self-signed ones as per Bitnami's docs, but get the same error.

So what else should I be checking?

David G
  • 111
  • 1

0 Answers0