在ubuntu ec2上在couchdb中设置自签名ssl证书的问题

时间:2013-09-29 18:26:59

标签: ubuntu ssl amazon-web-services amazon-ec2 couchdb

我正在尝试将我的电脑中的相同环境(ubuntu 12.10)复制到aws ec2(ubuntu 12.04)。

所以我执行了以下命令:

# openssl genrsa -out localhost.key 2048

# openssl req -new -x509 -key localhost.key -out localhost.crt -days 3650 -subj /CN=localhost

之后,我将local.ini配置如下:(确保从couchdb用户可以访问这些证书文件):

[daemons]
httpsd = {couch_httpd, start_link, [https]}

[ssl]
cert_file = /opt/couchdb/etc/cert/localhost.crt
key_file = /opt/couchdb/etc/cert/localhost.key

当我在我的电脑上运行此命令时,这很好用,

curl -v -k https://localhost:6984/

但是在aws ec2我得到了以下错误:

* About to connect() to localhost port 6984 (#0)
*   Trying 127.0.0.1... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to localhost:6984 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to localhost:6984 

沙发日志:

Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.3024.1>] {error_report,<0.61.0>,
                                   {<0.3024.1>,std_error,
                                    [83,83,76,58,32,"1095",58,32,"error",58,
                                     [123,
                                      ["try_clause",44,
                                       [123,["error",44,"eacces"],125]],
                                      125],
                                     32,
                                     "/usr/local/etc/couchdb/cert/localhost.crt",
                                     "\n",32,32,
                                     [91,
                                      [[123,
                                        ["ssl_manager",44,"cache_pem_file",44,
                                         "2"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["ssl_certificate",44,
                                         "file_to_certificats",44,"2"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["ssl_connection",44,
                                         "init_certificates",44,"6"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["ssl_connection",44,"ssl_init",44,
                                         "2"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["ssl_connection",44,"init",44,"1"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["gen_fsm",44,"init_it",44,"6"],
                                        125],
                                       44,10,"   ",
                                       [123,
                                        ["proc_lib",44,"init_p_do_apply",44,
                                         "3"],
                                        125]],
                                      93],
                                     "\n"]}}
[Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.3024.1>] {error_report,<0.61.0>,
                         {<0.3024.1>,crash_report,
                          [[{initial_call,
                                {ssl_connection,init,['Argument__1']}},
                            {pid,<0.3024.1>},
                            {registered_name,[]},
                            {error_info,
                                {exit,ecertfile,
                                    [{gen_fsm,init_it,6},
                                     {proc_lib,init_p_do_apply,3}]}},
                            {ancestors,[ssl_connection_sup,ssl_sup,<0.62.0>]},
                            {messages,[]},
                            {links,[<0.66.0>]},
                            {dictionary,[]},
                            {trap_exit,false},
                            {status,running},
                            {heap_size,2584},
                            {stack_size,24},
                            {reductions,1532}],
                           []]}}
[Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.66.0>] {error_report,<0.61.0>,
                       {<0.66.0>,supervisor_report,
                        [{supervisor,{local,ssl_connection_sup}},
                         {errorContext,child_terminated},
                         {reason,ecertfile},
                         {offender,
                             [{pid,<0.3024.1>},
                              {name,undefined},
                              {mfargs,{ssl_connection,start_link,undefined}},
                              {restart_type,temporary},
                              {shutdown,4000},
                              {child_type,worker}]}]}}
[Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.349.1>] {error_report,<0.31.0>,
                                  {<0.349.1>,std_error,
                                   [{application,mochiweb},
                                    "Accept failed error",
                                    "{error,ecertfile}"]}}
[Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.349.1>] {error_report,<0.31.0>,
                        {<0.349.1>,crash_report,
                         [[{initial_call,
                               {mochiweb_acceptor,init,
                                   ['Argument__1','Argument__2',
                                    'Argument__3']}},
                           {pid,<0.349.1>},
                           {registered_name,[]},
                           {error_info,
                               {exit,
                                   {error,accept_failed},
                                   [{mochiweb_acceptor,init,3},
                                    {proc_lib,init_p_do_apply,3}]}},
                           {ancestors,
                               [https,couch_secondary_services,
                                couch_server_sup,<0.32.0>]},
                           {messages,[]},
                           {links,[<0.2106.0>,#Port<0.3554>]},
                           {dictionary,[]},
                           {trap_exit,false},
                           {status,running},
                           {heap_size,987},
                           {stack_size,24},
                           {reductions,225918}],
                          []]}}
[Mon, 30 Sep 2013 00:27:57 GMT] [error] [<0.2106.0>] {error_report,<0.31.0>,
                         {<0.2106.0>,std_error,
                          {mochiweb_socket_server,310,
                              {acceptor_error,{error,accept_failed}}}}}

那么,请问如何解决这个问题?


更新:重要的是要说 mochiweb无权访问我的证书的原因我运行了couchdb root用户不是来自 couchdb 用户

所以,每次都要确保您使用COUCHDB用户运行您的程序

sudo -i -u couchdb couchdb

2 个答案:

答案 0 :(得分:3)

随着更新的问题。 CouchDB无法访问证书。要么是因为文件丢失,要么CouchDB没有文件权限。

答案 1 :(得分:2)

另请注意,在版本R15B02之前使用带有Erlang的sha256或更高版本的证书存在问题。在该版本发布之前,仅支持sha1或md5。

More information is in this discussion thread