Cannot access CouchDB over https (SSL/TLS)

Keywords: CouchDB - Microsoft Azure - How to - Secure Connections (SSL/HTTPS)

Description:
I’ve followed the Bitnami tutorial on how to enable SSL/TLS on CouchDB but I’m unable to access the database on port 6984. I’ve tried using a self signed certificate as well as a certificate signed by Let’s Encrypt.

Here is my local.ini configuration file

; CouchDB Configuration Settings
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
[couchdb]

; max_document_size = 4294967296 ; bytes
; os_process_timeout = 5000
uuid = 399f9924e0ec016bd0dea66829ad275b

[couch_peruser]

; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
; enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
; delete_dbs = true
; Set a default q value for peruser-created databases that is different from
; cluster / q
; q = 1
[chttpd]

 port = 5984
 bind_address = 0.0.0.0
; Options for the MochiWeb HTTP server.
; server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
; socket_options = [{sndbuf, 262144}, {nodelay, true}]
[httpd]

; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
; WWW-Authenticate = Basic realm="administrator"
; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
; config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
enable_cors = true
bind_address = 0.0.0.0
port = 5986

[couch_httpd_auth]

; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
; require_valid_user = false
secret = 70b48b18ca2937a57ff327ab1901fbab

[daemons]
httpsd = {chttpd, start_link, [https]}

[ssl]

enable = true
port = 6984
cert_file = /opt/bitnami/couchdb/etc/server.crt
key_file = /opt/bitnami/couchdb/etc/server.key
; password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = true
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
; fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
; verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
; ssl_certificate_max_depth = 1
; 
; Reject renegotiations that do not live up to RFC 5746.
; secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
; ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
; The SSL/TLS versions to support
; tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]

; example.com = /database/
; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
admin = -pbkdf2-d46cf18c82e25475e873ca31cc62cd273bbfad00,c61ec88c7079d35c2d8e3b97514ddcdb,10

[cors]
headers = accept, authorization, content-type, origin, referer
origins = *
credentials = true
methods = GET, PUT, POST, HEAD, DELETE

Hello @rodrigo.arroyo,

Thank you for creating this ticket in the forum, however, this is not a “How To” question, this is a technical issue with the services inside the Bitnami solution. Please create a new ticket in the forum using the “Technical issue” option when clicking on “+ New Topic”.

If you get any errors adding the bndiagnostic ticket ID when creating a “Technical issue” topic, please upgrade our bndiagnostic-tool. To do so, please download the latest version and run again the tool for it to generate a new ID.

Regards,
Francisco de Paz

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.