Generate And Install A Let's Encrypt SSL Certificate For A Bitnami App

Keywords: CouchDB - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: 4d55f6b5-b831-3b20-c33d-3a100abf0cab
Description:
Followed:
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

I believe I have all the assumptions correct. The proof:
Good: https://www.whatsmydns.net/#A/www.ppcjsondata.com
Good: https://whatsmydns.net/#A/www.ppcjsondata.com
AWS Route 53 dns entries complete and those created NameServers entered at my domain host namecheap.com.

Regarding the screen shot for “An example certificate is shown below:”
I did not get that. I did get a file DOMAIN.json (ppcjsondata.com.json) containing:
“domain”: “ppcjsondata.com”,
“certUrl”: “https://acme-v02.api.letsencrypt.org/acme/cert/034abcead462d90c737071bf9c1a18174ae8”,
“certStableUrl”: “https://acme-v02.api.letsencrypt.org/acme/cert/034abcead462d90c737071bf9c1a18174ae8

Output of this line copied below, but looks good to me:
sudo lego --email="admin@ppcjsondata.com" --domains=“ppcjsondata.com” --domains=“www.ppcjsondata.com” --path="/etc/lego" run

Regarding “Step 3: Configure The Web Server To Use The Let’s Encrypt Certificate”
I guessed I use “Apache”, not “NGINX”, since no NGINX folder exists:
(All these lines worked, except I had no server.csr file, just a cert.csr file, I renamed it anyway)

sudo mv /opt/bitnami/couchdb/conf/server.crt /opt/bitnami/couchdb/conf/server.crt.old
sudo mv /opt/bitnami/couchdb/conf/server.key /opt/bitnami/couchdb/conf/server.key.old
sudo mv /opt/bitnami/couchdb/conf/cert.csr /opt/bitnami/couchdb/conf/cert.csr.old
sudo ln -s /etc/lego/certificates/ppcjsondata.com.key /opt/bitnami/couchdb/conf/server.key
sudo ln -s /etc/lego/certificates/ppcjsondata.com.crt /opt/bitnami/couchdb/conf/server.crt
sudo chown root:root /opt/bitnami/couchdb/conf/server*
sudo chmod 600 /opt/bitnami/couchdb/conf/server*

Step 4: Test The Configuration
This part makes no sense to me. Why would there be a document at this domain. This is just for my couchdb data.
So this returns nothing: https://www.ppcjsondata.com, https://ppcjsondata.com
I can ping www.ppcjsondata.com and ppcjsondata.com and get my bitnami IP 18.214.95.156:6984 returned.
No SSL certificate is found:
https://www.sslshopper.com/ssl-checker.html#hostname=www.ppcjsondata.com

There is something I don’t get.

I ran the diagnostic tool: 4d55f6b5-b831-3b20-c33d-3a100abf0cab

Note:
As per https://docs.couchdb.org/en/2.2.0/config/http.html?highlight=ssl instructions
File: local.ini:
change from:
cacert_file = /opt/bitnami/common/openssl/certs/curl-ca-bundle.crt
to:
cacert_file = /etc/ssl/certs/ca-certificates.crt

Thanks guys.

bitnami@ip-172-31-31-100:/opt/bitnami$ sudo lego --email="admin@ppcjsondata.com" --domains=“ppcjsondata.com” --domains=“www.ppcjsondata.com” --path="/etc/lego" run
2018/12/27 18:43:46 No key found for account admin@ppcjsondata.com. Generating a curve P384 EC key.
2018/12/27 18:43:46 Saved key to /etc/lego/accounts/acme-v02.api.letsencrypt.org/admin@ppcjsondata.com/keys/admin@ppcjsondata.com.key
2018/12/27 18:43:46 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2018/12/27 18:43:46 Do you accept the TOS? Y/n
Y
2018/12/27 18:43:49 [INFO] acme: Registering account for admin@ppcjsondata.com
2018/12/27 18:43:49 !!! HEADS UP !!!
2018/12/27 18:43:49
Your account credentials have been saved in your Let’s Encrypt
configuration directory at “/etc/lego/accounts/acme-v02.api.letsencrypt.org/admin@ppcjsondata.com”.
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let’s Encrypt so making regular
backups of this folder is ideal.
2018/12/27 18:43:49 [INFO] [ppcjsondata.com, www.ppcjsondata.com] acme: Obtaining bundled SAN certificate
2018/12/27 18:43:50 [INFO] [ppcjsondata.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/cCBJe3v9SQc3T7KGTY2vt6xpbyp_IGzOV9ygw_ondYQ
2018/12/27 18:43:50 [INFO] [www.ppcjsondata.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/M5D0V55ZQDI8j-yU7iSFlW-NlgJoZqZgAW3kUSZ_06E
2018/12/27 18:43:50 [INFO] [ppcjsondata.com] acme: Trying to solve TLS-ALPN-01
2018/12/27 18:43:55 [INFO] [ppcjsondata.com] The server validated our request
2018/12/27 18:43:55 accept tcp [::]:443: use of closed network connection
2018/12/27 18:43:55 [INFO] [www.ppcjsondata.com] acme: Trying to solve TLS-ALPN-01
2018/12/27 18:44:01 [INFO] [www.ppcjsondata.com] The server validated our request
2018/12/27 18:44:01 accept tcp [::]:443: use of closed network connection
2018/12/27 18:44:01 [INFO] [ppcjsondata.com, www.ppcjsondata.com] acme: Validations succeeded; requesting certificates
2018/12/27 18:44:02 [INFO] [ppcjsondata.com] Server responded with a certificate.

Regarding the screen shot for “An example certificate is shown below:”
I did not get that. I did get a file DOMAIN.json (ppcjsondata.com.json) containing:

You need to download the file and save it as a .crt file.

The screenshot refers to what a user accessing the page would see in their web browser, once the web server is configured to use that certificate. That means you would need to finish step 3 to get that.

Regarding “Step 3: Configure The Web Server To Use The Let’s Encrypt Certificate”
I guessed I use “Apache”, not “NGINX”, since no NGINX folder exists:
(All these lines worked, except I had no server.csr file, just a cert.csr file, I renamed it anyway)

No, you are not using Apache but CouchDB, which is a different service. We do not bundle Apache in the CouchDB stack.

Once you have placed the .crt and .key files in the proper location (which you already did), you need to follow this guide for configuring SSL for CouchDB: https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/

Thanks so much for clearing that up. I didn’t realize bitnami was a server “instead of” the apache server.
So very carefully I followed those instructions at:
https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/

Still not working, getting “Connection refused”, but we are closing in on resolving this.
I checked the couchdb v2.2 (different than v2.3) documentation at:
https://docs.couchdb.org/en/2.2.0/config/http.html?highlight=ssl
I noticed differences with Bitnami’s instructions. Specifically:
[daemons]
httpsd = {chttpd, start_link, [https]}

  • Note “chttpd”, Bitnami documentation shows “couch_httpd”
    I changed to chttpd, rebooted couchdb and tried again. Now I get:
    “Unknown SSL protocol error in connection to…”
    Doesn’t that look better?
    Next, see:
    cacert_file = /etc/ssl/certs/ca-certificates.crt
  • Bitnami documentation shows: /full/path/to/cacertf
    It does not matter what I change the cacert_file value to, I get the same result.
    When I try connecting with curl:
    curl -vsk https://admin:MyPassword@18.214.95.156:6984 (for “MyPassword” I use my actual password)
    I get:
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • Unknown SSL protocol error in connection to 18.214.95.156:6984
  • Closing connection 0

Besides not working, this makes no sense to me:
cacert_file = /full/path/to/cacertf

couchdb 2.2 docs on the cacert_file:
The path to a file containing PEM encoded CA certificates. The CA certificates are used to build the server certificate chain, and for client authentication. Also the CAs are used in the list of acceptable client CAs passed to the client when a certificate is requested.

Not sure if I am going down the correct road. I create a csr file:
sudo openssl req -new -key /opt/bitnami/couchdb/conf/server.key -out /opt/bitnami/couchdb/conf/cert.csr
I need an organization name…must be registered with some authority at the national, state, or city level.
Paste results into:
https://secure.instantssl.com/products/SSLIdASignup1a

It must be simpler. Everybody has to use SSL these days. If I could pay some kind of support to resolve this I would. It is draining my time.

Hi @jhchadwick63, you are totally right. The current instructions are wrong.

In the meantime, you can get SSL working in CouchDB by following these steps in a clean installation:

  • Edit /opt/bitnami/couchdb/etc/local.ini:

    • Set the following parameters:

          [ssl]
          enable = true
          cert_file = /opt/bitnami/couchdb/conf/server.crt
          key_file = /opt/bitnami/couchdb/conf/server.key
      
  • Ensure you have server.key and server.crt inside /opt/bitnami/couchdb/conf. If not, you can temporarily generate self-signed certificates in the following way:

         sudo openssl genrsa -out /opt/bitnami/couchdb/conf/server.key 2048
         sudo openssl req -new -key /opt/bitnami/couchdb/conf/server.key -out /opt/bitnami/couchdb/conf/cert.csr
         sudo openssl x509 -in /opt/bitnami/couchdb/conf/cert.csr -out /opt/bitnami/couchdb/conf/server.crt -req -signkey /opt/bitnami/couchdb/conf/server.key -days 365
    

Once you have Let’s Encrypt certificates, follow the steps to generate the Lego certificates and place them in the folder mentioned above.

We’ll work on updating the documentation to support the latest releases.

Regarding:
https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/

This is nonsense, uncommenting will get one nowhere:
;cacert_file = /full/path/to/cacertf

Again, I suspect I follow this, even though I know we are on a Bitnami server and not an Apache server:
https://docs.bitnami.com/aws/apps/trac/administration/create-ssl-certificate-apache/
Note I run this command:
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Then I “Send cert.csr to the certificate authority.” like Comodo (free for first 2 months)

Maybe you can check with a senior tech person so we can quickly rap this up.

Thanks.

Hi @jhchadwick63, as I mentioned in my previous comment, the instructions in https://docs.bitnami.com/aws/infrastructure/couchdb/administration/enable-ssl/ are wrong and therefore you should follow the instructions I posted instead.

If you already did, please let us know if you’re still facing the same issues. We were able to get CouchDB properly working with SSL with these steps: Generate And Install A Let's Encrypt SSL Certificate For A Bitnami App

I did follow those instructions. Sure I got a self signed certificate to work weeks ago. That is when I first discovered the error in documentation.

So I got a certifcate from comodo. To match the line I uncommented:
cacert_file = /etc/ssl/certs/ca-certificates.crt
I renamed my comodo issued certificate to that name and put it there. Is this correct?

The instructions at comodo may or may not apply since this is a bitnami server, not an apache server. Do I follow their instructions?
https://support.comodoca.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJ3

When I try connecting I get Unknown SSL protocol:
curl -vsk https://admin:mypassword@18.214.95.156:6984

  • Hostname was NOT found in DNS cache
  • Trying 18.214.95.156…
  • Connected to 18.214.95.156 (18.214.95.156) port 6984 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • Unknown SSL protocol error in connection to 18.214.95.156:6984
  • Closing connection 0

Hi @jhchadwick63, we believe to have identified your issue.

In the commands you were executing earlier, you mentioned this:

sudo chown root:root /opt/bitnami/couchdb/conf/server*
sudo chmod 600 /opt/bitnami/couchdb/conf/server*

However, CouchDB is run by the “couchdb” user meaning it is not able to read the certificate files. Therefore you must do this:

sudo chown couchdb:couchdb /opt/bitnami/couchdb/conf/server*

After that, restart CouchDB and you should be able to get it up and running. We were able to get a Let’s Encrypt certificate working after doing that.

Note that you do not need to uncomment “cacert_file”, we left it commented and it still worked.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.