HTTPS: config disabled, database list messed up

madpink 2017-04-19 13:52:46 UTC #1

I've enabled HTTPS access...

When I log into Fauxton using HTTPS, if I go to "Configuration" it says "Config Disabled" at the top. If I log into with port "5984", I can make changes to the configuration. Is there a way to enable Config on the secured side?
I setup CouchDB as a single node, but in the HTTPS side of Fauxton I am getting a list of about 20 shard databases in the all dbs view that look like this: (I'm not listing all of them)
shards/00000000-1fffffff/_global_changes.1492544140 This database failed to load.
The databases listed in the HTTP fauxton vs the HTTPS fauxton are not the same, if I create a DB in one, it does not show up in the other.

If I go into the var/lib/couchdb directory, databases that I create in the HTTP fauxton show up in its root.
Databases I create on the HTTPS fauxton page show up in one of the directories that are created in var/lib/couchdb/shards

Is this supposed to behave like this, or did I mess something up in my configuration (see below for local.ini file)

; CouchDB Configuration Settings

; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.

[couchdb]
database_dir = /opt/couchdb/var/lib/couchdb
view_index_dir = /opt/couchdb/var/lib/couchdb
plugin_dir = /opt/couchdb/lib/couchdb/plugins
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000
uuid = ba502ba2fd67f5984b900dd566faebee

[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true

[chttpd]
port = 5984
bind_address = 0.0.0.0
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]

[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate = Basic realm="Administrator"

; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]

[query_servers]
javascript = /opt/couchdb/bin/couchjs /opt/couchdb/share/server/main.js
coffeescript = /opt/couchdb/bin/couchjs /opt/couchdb/share/server/main-coffee.js
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js


[httpd_global_handlers]
favicon.ico = {couch_httpd_misc_handlers, handle_favicon_req, "/opt/couchdb/share/www"}
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}

[couch_httpd_auth]
secret = c71db502c031f1b265cf327b1403cfeb
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
require_valid_user = true

[os_daemons]
; For any commands listed here, CouchDB will attempt to ensure that
; the process remains alive. Daemons should monitor their environment
; to know when to exit. This can most easily be accomplished by exiting
; when stdin is closed.
;foo = /path/to/command -with args

[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd =  {couch_httpd, start_link, [https]}

[ssl]
port = 6984
cert_file = /opt/couchdb/conf/server.crt
key_file = /opt/couchdb/conf/server.key
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
;ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
;secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
; The SSL/TLS versions to support
;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']

; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
;example.com = /database/

[update_notification]
;unique notifier name=/full/path/to/exe -with "cmd line arg"

; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
admin = -pbkdf2-a634f120f3e595f55b1cfb4ffdfa22ad94a19ace,bba3e68b9a6df0c011f6f09b7b4b9268,10
;admin = mysecretpassword

arecio 2017-04-20 08:44:50 UTC #2

Hi,

Could you please provide us with a little more information?
- Are you using this application in the cloud ( such as AWS, Google, Azure, etc;) a native installer (such as Windows, Linux, etc.) or a Virtual Machine?
- Which exact version of the application are you using?
- In addition to what you have explained, have you installed any plugins or modified any configuration files?

Thank you for your kind cooperation.

Best regards,
Alvaro Recio

madpink 2017-04-20 13:07:53 UTC #3

I am using this in the cloud, it is an OpenVZ container, running Ubuntu 16.04
I am using CouchDB installer 2.0.0-1
No plugins, and the only config file I have edited is the local.ini (I have not made changes to the file since I pasted it in my first post)

Before starting, I wiped the container, so i started fresh, and the only other packages I have installed on this virtual machine are Webmin which runs on port 10000, and nano (the editor).

It's as if CouchDB is treating the HTTP and HTTPS connections as two separate instances.

Also, the number of databases has grown in the last 24 hours:
4 system databases (_dbs, _nodes, _repllicator, _users)
1 database I created
32 "shards" databases that all say "This database failed to load"

Unable to connect via HTTPS

tomasp 2017-04-21 08:19:30 UTC #4

Hello @madpink,

It seems they are known-issues when enabling HTTPS at erlang level. You can check the following post:

As a summary, a CouchDB developer recommended using haproxy to provide the secure layer.

I hope it helps,
Tomas

madpink 2017-04-21 11:41:22 UTC #5

I actually tried that out earlier in the week... unfortunately I'm not familiar enough with CentOS to really troubleshoot problems that arose while trying to set it up. (For example, the instructions as-is did not work as YUM did not have some of the required packages that needed to be installed)

Does anyone have advice for approaching this on Ubuntu or Debian?

madpink 2017-04-23 14:29:36 UTC #6

worked on this for a while... I've adapted the instructions to Ubuntu/Debian as much as I can and this seems to work... if anyone sees anything wrong let me know

##INSTALL COUCHDB2 FIRST, BUT DON'T CHANGE BIND_ADDRESS

sudo add-apt-repository ppa:certbot/certbot -y 
sudo apt-get update -y
sudo apt-get install haproxy certbot -y

## Add the following line to /etc/default/haproxy
ENABLED=1

##edit /etc/haproxy/haproxy.cfg with your favorite editor and make it look like below
##replace the port number in the line "bind *:7465" to whatever port you would like
##change it to "bind *:443" if you would like
##change "MY_DOMAIN" to your domain name in the ssl file name, e.g. example.com should be "example.com.pem"
##you can map multiple domains if necessary
-----
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	maxconn 2048
	tune.ssl.default-dh-param 2048
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option forwardfor
  option http-server-close
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


frontend http-in
         bind *:7465 ssl crt /etc/haproxy/MY_DOMAIN.pem
         default_backend couchdbs
         reqadd X-Forwarded-Proto:\ https
         acl secure dst_port eq 7465
         rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
         rspadd Strict-Transport-Security:\ max-age=31536000 if secure
         redirect scheme https code 301 if !{ ssl_fc }

backend couchdbs
        option httpchk GET /_up
        http-check disable-on-404
        server couchdb1 127.0.0.1:5984 check inter 5s
--------

## Below, replace "MY_DOMAIN" with the domain name being used
cat <<EOT > /etc/haproxy/cert-hook
#!/bin/sh
DOMAIN="MY_DOMAIN"
FULL_PEM="/etc/haproxy/cert-haproxy.pem"
echo "Certbot renewal hook running as user: '$USER'..." >&2
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" >&2
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE" >&2

if grep --quiet "$DOMAIN" <<< "$RENEWED_DOMAINS"; then
        cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $FULL_PEM
        echo "PEM updated $FULL_PEM" >&2
        systemctl restart haproxy
        echo "Haproxy restarted" >&2
fi
EOT

## change the file name in the commands below if you did above
## change MY_DOMAIN to the domain name
chmod +x /etc/haproxy/cert-hook
certbot certonly --standalone -d MY_DOMAIN --renew-hook "/etc/haproxy/cert-hook"
cat /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem /etc/letsencrypt/live/MY_DOMAIN/privkey.pem > /etc/haproxy/cert-haproxy.pem
chmod 600  /etc/haproxy/cert-haproxy.pem
sudo service haproxy restart

cat <<EOT > /etc/systemd/system/certbot.service 
[Unit]
Description=Lets Encrypt Automated Renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --renew-hook "/etc/haproxy/cert-hook"
EOT


cat <<EOT > /etc/systemd/system/certbot.timer
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=daily
RandomizedDelaySec=1day
Persistent=true

[Install]
WantedBy=timers.target
EOT

systemctl daemon-reload

Unable to connect via HTTPS

marcos 2017-04-24 10:47:49 UTC #7

Thanks for sharing your solution @madpink! I'm sorry you did not get HTTPS working with CouchDB, we recently released the new CouchDB version and tested SSL, and it worked for us, I have no idea what could have been happening to you.

Regards,
Marcos

sangaman 2017-05-05 23:39:45 UTC #8

It looks like I'm having this exact problem as described here and in the link to stackoverflow. I'm going to give this a shot, but I've already changed my bind addresses to 0.0.0.0 so I hope that's not a huge problem. If you could let me know soon that would save me a lot of time, I just don't want to have to start over with a fresh image unless I have to. Thanks madpink, if you have any other tips or advice you could share that would be tremendously helpful.

sangaman 2017-05-05 23:40:44 UTC #9

I'm thinking it's possibly related to certbot, as that's what I'm using for my SSL setup.

sangaman 2017-05-06 21:58:45 UTC #10

I had to make some tweaks, but I ran this on a fresh image and it seems to have worked! Thank you so much. I left the port as 7465, and in the line:

/etc/haproxy/MY_DOMAIN.pem

MY_DOMAIN should actually just read "cert-haproxy.pem"

Also I'm not sure if this will work with automatic renewal? I guess I'll wait and see, but it looks like I may have to run "cat /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem /etc/letsencrypt/live/MY_DOMAIN/privkey.pem > /etc/haproxy/cert-haproxy.pem" manually as root to actually update the cert-haproxy.pem file?

dbarranco 2017-05-08 12:30:52 UTC #11

Hi @sangaman

Thank you so much for sharing your solution, I'm sure someone will find it useful!!

Also, regarding the automatic renewal, if you're using certbot have you configured the cron jobs for the automatic renewal?

In this guide there are some instructions about configuring the cron job for certbot.

If you followed it, you can see the cronjobs of the bitnami user typing this command:

crontab -u bitnami -l

Best regards!

vishvas 2017-05-30 03:19:58 UTC #12

I get exactly the same problem as well. And, I'm using certbot too. This is very starnge, I'd rather not have to configure haproxy just to get around this..
Uploading...

jota 2017-05-31 11:09:34 UTC #13

Hi @vishvas,

We have two sections in our documentation that explains how to configure SSL in CouchDB and how to access it from a remote machine, could you please check it?

https://docs.bitnami.com/installer/infrastructure/couchdb/#how-to-enable-ssl-for-https-on-couchdb
https://docs.bitnami.com/installer/infrastructure/couchdb/#how-to-connect-to-couchdb-from-a-different-machine

As @tomasp mentioned, there are well known errors

I hope this information helps.
Jota

sangaman 2017-08-12 12:55:04 UTC #15

Hello again, turns out I DID have to run this line (with my domain instead of MY_DOMAIN of course)

cat /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem /etc/letsencrypt/live/MY_DOMAIN/privkey.pem > /etc/haproxy/cert-haproxy.pem

And then restart haproxy and it worked. I had run into issues due to certificate expiration and a simple certbot renew and restart wasn't solving the trick. So I will probably set up a cron job that automates this process. It's a good thing I had shared that info here, because in the past months I forgot what I had done and needed to do so rereading my comments saved me a lot of time. CouchDB has been working great for me with haproxy.

jsalmeron 2017-08-14 11:35:58 UTC #16

Hi,

Thanks for letting us know. Regarding the command, I would advise you to use cp rather than cat. If you run into more issues, please let us know

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

jsalmeron 2017-10-24 13:42:32 UTC #17

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!