I run CouchDB 1.6.1 on Windows 64bit server 2012 R2, we usually use nginx to manage SSL, but this time I tried to use CouchDB directly. Our SSL is the GlobalSign protocol, and I have a certificate, a private key, and an intermediate certificate from a provider. I setup my local.ini as follows:
[daemons] ; enable SSL support by uncommenting the following line and supply the PEM below. ; the default ssl port CouchDB listens on is 6984 httpsd = {couch_httpd, start_link, [https]} [ssl] cert_file = ../ssl/organizational.crt key_file = ../ssl/privatekeyfile.key ; set to true to validate peer certificates ;verify_ssl_certificates = false ; Path to file containing PEM encoded CA certificates (trusted ; certificates used for verifying a peer certificate). May be omitted if ; you do not want to verify the peer. cacert_file = ../ssl/intermediate.crt
When I check through curl, I get the following output:
curl -k -v https://companyURL.com:6984 * Rebuilt URL to: https://companyURL.com:6984/ * Hostname was NOT found in DNS cache * Trying IP.IP.IP.IP... * Connected to companyURL.com (IP.IP.IP.IP) port 6984 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * Server certificate: * subject: C=GB; ST=LONDON; L=LONDON; OU=IT; O=COMPANY;CN=*.edge10hosted.org * start date: 2015-03-27 14:18:04 GMT * expire date: 2018-05-03 11:17:17 GMT * issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.39.0 > Host: companyURL.com:6984 > Accept: */* > < HTTP/1.1 200 OK < Server: CouchDB/1.6.1 (Erlang OTP/R16B02) < Date: Tue, 31 Mar 2015 13:00:39 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 151 < Cache-Control: must-revalidate < {"couchdb":"Welcome","uuid":"34155abcacbffc53e67a224f5f1ea7c7","version":"1.6.1","vendor":{"version":"1.6.1","name":"The Apache Software Foundation"}} * Connection #0 to host companyURL.com left intact
And it works https://www.sslshopper.com/ssl-checker.html perfectly.
CouchDB Magazines Show
SSL: certify: tls_connection.erl:2286:Fatal error: decode error
Any thoughts on what might be the problem as the certificates work elsewhere and via nginx.