Bitnami Couch 3.1.0. cannot connect to 6984 via HTTPS with modern browsers

neil_m · June 12, 2020, 4:33pm

Keywords: CouchDB - Microsoft Azure - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: dc3eb3fc-db0c-89b3-e6b4-94a02b255cd8
Description:
Using the azure VM image Bitnami CouchDB 3.1.0 latest.
I have opened ports of azure firewall for 5984 and 6984 I can get to port 5984 on HTTP and open the fauxton UI.

I have also configured the server with a valid wildcard certificate and key and intermediate Cert. These files are set as perms of 600 with couchdb user as owner of the files and entered the correct settings in local.ini.

I watch the log when the server starts and see it starts up on port 6984. however Chrome cannot reach the site and Firefox reports “The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.”

Nothing appears in the log (level info) when these HTTP calls are attempted. Thinking this is something to do with the SSL version or TLS 1.2, I go to my old Ipad and try Safari, success, I now see Safari hitting the server in the log file (although the page doesnt load properly in my ipad as the safari version is so old).

What to I need to do to get a modern browser to securely access my server over HTTPS via port 6984?

neil_m · June 13, 2020, 7:22am

I see in the headers it is Erlang OTP 22. I search for TLS errors in that version 22 and I found a hit.
https://bugs.erlang.org/browse/ERL-968?jql=project%20%3D%20ERL%20AND%20fixVersion%20%3D%20"21.3.8.5%2C%2022.0.4"

So, I don’t know if just upgrading Erlang in the Bitnami build might fix it. Seems worth a try I’m not familiar with erlang.

Update I am also able to open the site with an older version of Internet Explorer. It does therefore seem to be specific to browser support.

neil_m · June 13, 2020, 7:25am

should read
Nothing appears in the log (level info) when these HTTPS calls are attempted

michiel · June 15, 2020, 11:11am

Hi @neil_m,

For security reasons it’s strongly recommended to access the server using an SSH tunnel. Could you try connecting to the server in that way? You can find more information regarding the default port configuration for Couchdb on Azure here:

https://docs.bitnami.com/azure/infrastructure/couchdb/get-started/understand-default-ports/

Regards,
Michiel

neil_m · June 16, 2020, 7:44am

Hi Michiel,
thanks for responding!

SSH will not available as it is locked down by network security group.

This is a production server, with a wide number of support staff people will need to reach it to provide support.

Unfortunately I can see that Networks will not accept this as justification to open SSH. And support will not want to set up an SSH tunnel in the middle of a crisis when in the past they have used a browser directly with no problem. Not even sure some of them will know how.

This version of couchdb works on other platforms other than bitnami and it works on older bitnami couchdb builds as well (e.g. Couch 2.3.1 Erlang OTP/21) . So it is definitely something specific about this bitnami build.

I think upgrading (or downgrading) erlang OTP away from version 22 would be a good place to start. If someone can show me how, I would try it on my instance.

michiel · June 17, 2020, 11:45am

Hi @neil_m,

We will investigate it and follow up with further information.

Regards,
Michiel

jota · June 18, 2020, 7:51am

Hi @neil_m,

I just launched a fresh Bitnami CouchDB instance with CouchDB 3.1.0-3 and could access the 5984 port without problems after configuring the firewall as you did.

The problem is that I also got errors when configuring the HTTPS connection in the server. I followed this guide and couldn’t make it work

https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/

$ curl -LIk https://localhost:6984
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:6984

Thanks for the suggestion. Our team will review this and update the solution accordingly.

Hu3nn1 · July 1, 2020, 1:03pm

Hi,

I’ve the same problem.

Specs
Platform: Amazon AWS
CouchDB: 3.1.0
Port: 5984 - running, everything is fine

bitnami@ip-10-0-0-93:/opt/bitnami$ curl http://localhost:5984
{"error":"unauthorized","reason":"Authentication required."}

Port: 6984: error:

bitnami@ip-10-0-0-93:/opt/bitnami$ curl  https://127.0.0.1:6984/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:6984

Logfile:

bitnami@ip-10-0-0-93:~$ tail -f /opt/bitnami/couchdb/var/log/couch.log 
[info] 2020-07-01T09:50:52.516196Z couchdb@127.0.0.1 <0.239.0> -------- Apache CouchDB has started. Time to relax.

[info] 2020-07-01T09:50:52.516358Z couchdb@127.0.0.1 <0.239.0> -------- Apache CouchDB has started on https://0.0.0.0:6984/
[notice] 2020-07-01T09:50:52.522255Z couchdb@127.0.0.1 <0.291.0> -------- rexi_server : started servers
[notice] 2020-07-01T09:50:52.523376Z couchdb@127.0.0.1 <0.295.0> -------- rexi_buffer : started servers
[notice] 2020-07-01T09:50:52.570167Z couchdb@127.0.0.1 <0.325.0> -------- mem3_reshard_dbdoc start init()
[notice] 2020-07-01T09:50:52.573355Z couchdb@127.0.0.1 <0.327.0> -------- mem3_reshard start init()
[notice] 2020-07-01T09:50:52.573690Z couchdb@127.0.0.1 <0.328.0> -------- mem3_reshard db monitor <0.328.0> starting
[notice] 2020-07-01T09:50:52.575181Z couchdb@127.0.0.1 <0.327.0> -------- mem3_reshard starting reloading jobs
[notice] 2020-07-01T09:50:52.575384Z couchdb@127.0.0.1 <0.327.0> -------- mem3_reshard finished reloading jobs
[notice] 2020-07-01T09:50:57.596891Z couchdb@127.0.0.1 <0.378.0> -------- couch_replicator_clustering : cluster stable
[notice] 2020-07-01T09:50:57.599100Z couchdb@127.0.0.1 <0.404.0> -------- Started replicator db changes listener <0.511.0>
[info] 2020-07-01T09:50:57.599511Z couchdb@127.0.0.1 <0.513.0> -------- open_result error {not_found,no_db_file} for _replicator


[notice] 2020-07-01T09:51:07.522798Z couchdb@127.0.0.1 <0.291.0> -------- rexi_server : cluster stable
[notice] 2020-07-01T09:51:07.522905Z couchdb@127.0.0.1 <0.295.0> -------- rexi_buffer : cluster stable
[notice] 2020-07-01T09:51:36.980338Z couchdb@127.0.0.1 <0.903.0> 5b7d53fe61 slac-online-dev.slot-manager.com:5984 84.144.213.200 undefined GET / 401 ok 16
[notice] 2020-07-01T09:51:38.480721Z couchdb@127.0.0.1 <0.903.0> 6c49093e05 slac-online-dev.slot-manager.com:5984 84.144.213.200 undefined GET / 401 ok 0
[notice] 2020-07-01T09:51:38.701515Z couchdb@127.0.0.1 <0.903.0> 68606ef02e slac-online-dev.slot-manager.com:5984 84.144.213.200 undefined GET /favicon.ico 401 ok 0
[notice] 2020-07-01T12:30:37.782397Z couchdb@127.0.0.1 <0.28195.2> c09baf638f 18.157.255.44:5984 198.199.94.99 undefined GET / 401 ok 0

Configuration file (SSL changes only):

[ssl]

port = 6984
enable = true
cert_file = /opt/bitnami/letsencrypt/certificates/slac-online-dev.slot-manager.com.crt
key_file = /opt/bitnami/letsencrypt/certificates/slac-online-dev.slot-manager.com.key

Do you have any solution?

Regards Hu3nn1

Hu3nn1 · July 1, 2020, 2:04pm

Output of openssl client

bitnami@ip-10-0-0-93:/opt/bitnami$ openssl s_client -connect localhost:6984
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

neil_m · July 4, 2020, 12:48pm

no solution provided to the browser issues so far, there is only a workaround which is to use IE or Safari to get to 6984 (but not Chrome, Firefox, MS Edge etc).

system · July 18, 2020, 12:48pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.