Enable SSL on couchdb Connection Refused

Keywords: CouchDB - AWS - Technical issue - Connectivity (SSH/FTP)
bnsupport ID: f90e33cd-531c-d15e-5221-2c440a622c31
Description:
I have successfully connected without SSL, but can’t connect with it:
For my AWS Instance “Security Group” I opened “all traffic” to my source Debian Linux server (Cloudways) ip

Followed these instructions:
https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/
Keep it simple now and use the self-signed certificate, so leave cacert_file line commented out
Restarted the couchdb server as per last instruction and I double checked my changes
From Cloudways, use the same command as without SSL, except change port from 5984 to 6984 (Also same PEM key)
https://docs.bitnami.com/google/faq/get-started/access-ssh-tunnel/
ssh -N -L 3000:127.0.0.1:6984 -i /home/master/.ssh/bitnami-aws-998353243413.pem bitnami@18.214.95.156
Check my connection: fuser 3000/tcp
Shows: 3000/tcp: 4260
Try to connect (substitute my password in for ‘Password’):
curl https://admin:Password@18.214.95.156:6984
(7) Failed to connect to 18.214.95.156 port 6984: Connection refused

Changes to local.ini:
[daemons]
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /opt/bitnami/couchdb/conf/server.crt
key_file = /opt/bitnami/couchdb/conf/server.key

Maybe I messed up creating the self signed certificate?
https://docs.bitnami.com/aws/apps/trac/administration/create-ssl-certificate-apache/
I changed the directory from apache2 to couchdb
sudo openssl genrsa -out /opt/bitnami/couchdb/conf/server.key 2048
sudo openssl req -new -key /opt/bitnami/couchdb/conf/server.key -out /opt/bitnami/couchdb/conf/cert.csr
sudo openssl x509 -in /opt/bitnami/couchdb/conf/cert.csr -out /opt/bitnami/couchdb/conf/server.crt -req -signkey /opt/bitnami/couchdb/conf/server.key -days 365

For FQDN, I put www.mydomainname.com. I have an “A Record” entry in dnsmadeeasy.com with Name=www
Put blank for Challenge password
After last command above, got “Signature ok”
Restarted couchdb again
The files are there:
cert.csr, server.crt, server.key

Maybe extra entries in local.ini file mess it up?
I just don’t know where to go from here.
Thanks.

Hi @jhchadwick63,

We are going to reproduce your configuration to try to reproduce the issue. Could you please share the content of the /opt/bitnami/couchdb/etc/local.ini file and the output of this command

sudo ls -la /opt/bitnami/couchdb/conf/

So we can review your current configuration while testing the changes

$ sudo ls -la /opt/bitnami/couchdb/conf/
total 20
drwxr-xr-x  2 root root 4096 Dec 18 21:07 .
drwxr-xr-x 12 root root 4096 Oct 30 18:18 ..
-rw-r--r--  1 root root 1033 Dec 18 21:01 cert.csr
-rw-r--r--  1 root root 1265 Dec 18 21:07 server.crt
-rw-r--r--  1 root root 1679 Dec 18 20:38 server.key

=============================================================

; CouchDB Configuration Settings

; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.

[couchdb]
database_dir=/opt/bitnami/couchdb/var/lib/couchdb
view_index_dir=/opt/bitnami/couchdb/var/lib/couchdb
plugin_dir=/opt/bitnami/couchdb/lib/couchdb/plugins
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000
uuid = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
;enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true
; Set a default q value for peruser-created databases that is different from
; cluster / q
;q = 1
enable = true
delete_dbs = true

[chttpd]
port=5984
bind_address=0.0.0.0
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]

require_valid_user=true
[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate=Basic realm="Administrator"

; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
enable_cors = true

[query_servers]
javascript=/opt/bitnami/couchdb/bin/couchjs /opt/bitnami/couchdb/share/server/main.js
coffeescript=/opt/bitnami/couchdb/bin/couchjs /opt/bitnami/couchdb/share/server/main-coffee.js
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js

[couch_httpd_auth]
secret=91894383d148498c340f5721ef5ade31
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
; require_valid_user = false

require_valid_user=true
allow_persistent_cookies = true
timeout = 60000

[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd =  {couch_httpd, start_link, [https]}

[ssl]
port=6984
cert_file = /opt/bitnami/couchdb/conf/server.crt
key_file = /opt/bitnami/couchdb/conf/server.key
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
;ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
;secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
; The SSL/TLS versions to support
;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']

; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
;example.com = /database/

; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
admin = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;admin = mysecretpassword

[cors]
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, DELETE
origins = *

Hi @jhchadwick63,

I just followed our guide to enable HTTPS and found this:

  • There is not any daemons section so that step can be skipped
[daemons]
httpsd =  {couch_httpd, start_link, [https]}
  • You didn’t set the cacert_file variable. I only needed to change the ssl section to enable SSL. These are the changes I made
[ssl]
port=6984
enable = true
cert_file = /opt/bitnami/couchdb/conf/server.crt
key_file = /opt/bitnami/couchdb/conf/server.key
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
cacert_file = /opt/bitnami/common/openssl/certs/curl-ca-bundle.crt

Then, I restarted CouchDB

image

I’ll notify our documentation team to update this section once you confirm this works for you.

Thanks

Although I don’t think it matters, I commented back out:
; httpsd = {couch_httpd, start_link, [https]}
SSL section, I added:
enable = true
Although in the documentation at:
https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/
it states “…you should get new certificates…” but I’m using self signed. However, you said to uncomment and add that line, so I did, and yes that curl-ca-bundle.crt file is there.
Rebooted server (I guess it still starts at port 5984):
couchdb stopped
couchdb started at port 5984
I connected from my Cloudways using port 6984:
ssh -N -L 3000:127.0.0.1:6984 -i /home/master/.ssh/bitnami-aws-998353243413.pem bitnami@18.214.95.156
Then using curl try to connect, again using port 6984 (of course I use my actual password):
curl https://admin:MYPASSWORD@18.214.95.156:6984
However still immediately get “Connection refused”
Note without SSL, it still works:
curl http://admin:MYPASSWORD@18.214.95.156:5984
{“couchdb”:“Welcome”,“version”:“2.2.0”,…

Thanks

The contents of local.ini is a cut and paste from copying the file to local, so you can see I got the changes correct:
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM’s below.
; the default ssl port CouchDB listens on is 6984
; httpsd = {couch_httpd, start_link, [https]}

[ssl]
port=6984
enable = true
cert_file = /opt/bitnami/couchdb/conf/server.crt
key_file = /opt/bitnami/couchdb/conf/server.key
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
cacert_file = /opt/bitnami/common/openssl/certs/curl-ca-bundle.crt

Hold on, reading:
https://docs.bitnami.com/aws/apps/trac/administration/create-ssl-certificate-apache/
Don’t I have to change my key file from the original?
bitnami-aws-998353243413.pem
I have to upload another one to my cloudways server, it looks like it will be called privkey.pem?
This will be matched up with the key on the bitnami server.
Please confirm. Thanks.

So I followed instructions at:
https://docs.bitnami.com/aws/apps/trac/administration/create-ssl-certificate-apache/
I created the privkey.pem and copied to my Cloudways server. I then adjusted permissions and tried from my Cloudways server.
ssh -N -L 3000:127.0.0.1:6984 -i /home/master/.ssh/privkey.pem bitnami@18.214.95.156
I enter the passphrase (no mistake, copy and pasted it) and get:
Permission denied (publickey)
Why does it say this is a public key. This is a private key, isn’t it?

I spent hours on this getting nowhere. Your documents at
https://docs.bitnami.com/oci/how-to/troubleshoot-ssh-issues/
in regards to “Permission denied (publickey)” state:
IP address of the server. Check that the IP address hasn’t changed by referring to your cloud provider control panel.
Username. Bitnami instances come with the user bitnami.
Key-pair used to create the instance

I noticed that sudo openssl rsa -in privkey.pem -out /opt/bitnami/couchdb/conf/server.key
does not change the server.key. I kept the original from the first step and compared - both files are identical.

Anything wrong with the creation of my key. I didn’t fill out every field but the ones omitted appeared optional, like “Challenge password” as I pointed out before.

Please help. The site must have SSL. This must be solved.

Hi @jhchadwick63,
I think you are mixing to different things. One is the connection to the SSH port, for this you need the bitnami-aws-998353243413.pem file, and other is enable SSL in couchdb, for this you need to generate a new certificate (eg. a self signed one).
Then, need you start a tunnel, with the ssh -N -L 3000:127.0.01:6984 … command. This will open a tunnel between your local 3000 port and the server 6984 port. To access the server you need to point your browser to https://localhost:3000, as you can see in @jota’s comment.

Hope this make sense for you.

Best regards,
Rafael Rios

GOT IT!

Thanks for getting back to me. I was confused. However, after getting back to using the correct pem file it still did not work.
I checked the version of couchdb at my instance of couchdb:
https://aws.bitnami.com/vms/bitnami-couchdb-cf-fcb0
Version 2.2
https://docs.couchdb.org/en/2.2.0/config/http.html?highlight=ssl
See 3.5.2. Secure Socket Level Options
You must have this line:
[daemons]
httpsd = {chttpd, start_link, [https]}
IMPORTANT: The first variable must be chttpd, not couch_httpd as per your docs at:
https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/
This is what I had wrong in the beginning. This was the problem!

In Version 2.3 you don’t have
[daemons]
Also, it states to include:
[ssl]
enable = true

Note: As per couchdb docs, don’t chmod the key and crt file to 600 from 644. It makes it not work.

Please update your docs.

Thanks jota and rafaelrios,

So this now works from my Cloudways server:
curl -k https://admin:MyPassword@18.214.95.156:6984
Note “-k” causes the warning to be bypassed as I am using a self signed certificate.

Hi @jhchadwick63,
Thank you very much.
I have added the task for changing documentation to the documentation team’s backlog.

Best regards,
Rafael Rios Saavedra.

Hello. We have now updated our documentation with this information at https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/ and https://docs.bitnami.com/aws/infrastructure/couchdb/administration/create-ssl-certificate-couchdb/