Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation #2966

Closed
raulmartinezr opened this issue Jun 25, 2020 · 3 comments
Closed

TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation #2966

raulmartinezr opened this issue Jun 25, 2020 · 3 comments
Labels
bug needs-triage

Comments

@raulmartinezr
Copy link

Description

I try to configure client certificate authentication in the following scenario with couchDB 3.1.0

"Server" -> CouchDB (single-node)
"Client" -> CouchDB (single-node) where I configure bidirecctional replication, to and from server Couch DB (push+pull)

But it's failing. Messages found in logs....

Client couchdb instance (the side which manages replication)

 TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA

Server couchdb instance

 TLS server: In state certify received CLIENT ALERT: Fatal - Handshake Failure

Steps to Reproduce

  • Configure client and server couchDB instances as described in environment
  • Configure replication in client instance (bidirecctional, push and pull)
  • Replication fails

Expected Behaviour

Replication should work. I tested connectivity with curl and openssl with the same setup, and both are working

 sudo curl --url https://192.168.1.66:6984/database/  \
--key /opt/couchdb/etc/ssl/node-71.client.key.pem \
--cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
 --cacert /opt/couchdb/etc/ssl/ca-chain.cert.pem --insecure
{"error":"unauthorized","reason":"You are not authorized to access this db."}
sudo openssl s_client  -connect 192.168.1.66:6984 \
-key /opt/couchdb/etc/ssl/node-71.client.key.pem \
-cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
-CAfile /opt/couchdb/etc/ssl/ca-chain.cert.pem
CONNECTED(00000005)

Your Environment

Client

  [ssl]
  enable = true
  cert_file = /opt/couchdb/etc/ssl/node-71.server.cert.pem
  key_file = /opt/couchdb/etc/ssl/node-71.server.key.pem
  verify_ssl_certificates = true
  fail_if_no_peer_cert = false
  cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
  [replicator]
  cert_file = /opt/couchdb/etc/ssl/node-71.client.cert.pem
  key_file = /opt/couchdb/etc/ssl/node-71.client.key.pem
  ;# Avoid hostanme check failed
  verify_ssl_certificates = false
  ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
  ssl_certificate_max_depth = 5

Server

 [ssl]
 enable = true
 cert_file = /opt/couchdb/etc/ssl/node-66.server.cert.pem
 key_file = /opt/couchdb/etc/ssl/node-66.server.key.pem
 verify_ssl_certificates = true
 fail_if_no_peer_cert = true
 cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
 [replicator]
  cert_file = /opt/couchdb/etc/ssl/node-66.client.cert.pem
  key_file = /opt/couchdb/etc/ssl/node-66.client.key.pem
  verify_ssl_certificates = false
  ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
  • CouchDB version used: 3.1.0
  • Browser name and version:
  • Operating system and version: Ubuntu 18.04

Additional Context
@janl
Copy link
Member

janl commented Jun 25, 2020

duplicate of #2964

@janl janl closed this as completed Jun 25, 2020
@raulmartinezr
Copy link
Author

Yep, I created initial one as "help" by mistake. Maybe I would have been better to close "help" instead of "bug"

@janl
Copy link
Member

janl commented Jun 25, 2020

I marked it “help” — we still need to determine if it is a bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janl @raulmartinezr