How do we run / configure couchbase server to support ssl or https connection?

vumc · December 26, 2014, 11:34am

Documentation is not clear on how-to run / configure couchbase server to support ssl or https connection so as to secure administrative access for your web browser ?

Ref: http://docs.couchbase.com/admin/admin/Concepts/security-admin-access.html

ingenthr · December 27, 2014, 1:23am

Once configured you’d simply replace 8091 anywhere you’re using it with 18091 and then https as the protocol scheme in the URL. What part are you not finding clear?

Note that SSL is a feature of the EE version only. If you’re not finding it in the UI, it could be because you have CE installed. See the description of editions for more info.

vumc · December 27, 2014, 5:12am

I downloaded an Enterprise Edition (w/o any license registration) for trial. Will this work for SSL?

Here goes the documentation section which is not clear -

Configuring a secure administrative access for your web browser

1 . Connect to Couchbase Server through an encrypted port to communicate on a secure channel (18091 for REST HTTP or 18092 for CAPI HTTP).

Q: How to connect/configure to enable https over internet ?

say if I type in a browser address for e.g - https://127.0.0.1:18091/index.html  or https://127.0.0.1:18092/index.html - this is not connecting and/or enabling https ?

ingenthr · December 28, 2014, 12:58am

Yes, the EE without any license registration will work for SSL. There isn’t any enforced key control, but there are restrictions in the terms and conditions.

And yes, if you use https://:18091 then it will use https. Since the certificate isn’t from a certificate authority known to your browser, you’ll need to verify that it’s okay to the browser (which will warn you), but then it’ll be fine.

vumc · December 28, 2014, 1:14pm

My whole point is - I’m NOT able to connect if I use https://localhost:18091 or 18092. The browser says “This webpage is not available”…and the documentation is not clear on how-to configure / enable HTTPS ? Did it make sense to you ? (only http works !)

ingenthr · December 28, 2014, 5:00pm

Honestly, I’ve not seen this. SSL setup was quite straightforward in my case.

Let’s see if we can diagnose this with something that’s easy to copy and paste into the forums. Can you try curl -k https://<yourhost>:18091/pools to see if you get a response from the server there? If not, what error does it give you?

Here’s what I see against my cluster (note that jq is just a JSON formatter):

$ curl -k https://54.160.64.77:18091/pools | 
jq '.'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1038  100  1038    0     0    722      0  0:00:01  0:00:01 --:--:--   723
{
  "pools": [
    {
      "name": "default",
      "uri": "/pools/default?uuid=d5c96361ba4a42d6daa9b6f992dda045",
      "streamingUri": "/poolsStreaming/default?uuid=d5c96361ba4a42d6daa9b6f992dda045"
    }
  ],
  "isAdminCreds": false,
  "isROAdminCreds": false,
  "isEnterprise": true,
  "settings": {
    "maxParallelIndexers": "/settings/maxParallelIndexers?uuid=d5c96361ba4a42d6daa9b6f992dda045",
    "viewUpdateDaemon": "/settings/viewUpdateDaemon?uuid=d5c96361ba4a42d6daa9b6f992dda045"
  },
  "uuid": "d5c96361ba4a42d6daa9b6f992dda045",
  "implementationVersion": "3.0.1-1444-rel-enterprise",
  "componentsVersion": {
    "lhttpc": "1.3.0",
    "os_mon": "2.2.14",
    "public_key": "0.21",
    "asn1": "2.0.4",
    "couch": "2.1.1r-432-gc2af28d",
    "kernel": "2.16.4",
    "syntax_tools": "1.6.13",
    "xmerl": "1.3.6",
    "ale": "3.0.1-1444-rel-enterprise",
    "couch_set_view": "2.1.1r-432-gc2af28d",
    "compiler": "4.9.4",
    "inets": "5.9.8",
    "mapreduce": "1.0.0",
    "couch_index_merger": "2.1.1r-432-gc2af28d",
    "ns_server": "3.0.1-1444-rel-enterprise",
    "oauth": "7d85d3ef",
    "crypto": "3.2",
    "ssl": "5.3.3",
    "sasl": "2.3.4",
    "couch_view_parser": "1.0.0",
    "mochiweb": "2.4.2",
    "stdlib": "1.19.4"
  }
}

vumc · December 28, 2014, 7:17pm

Thanks for the response.
Does localhost SSL connections over Wi-Fi affect or Do we need to physical connect to LAN ?
Any couchbase SSL setup references greatly appreciated !?

Weird:

curl -k https://localhost:18091/pools got similar response as you.
But if I try to login thru browser - https://localhost:18091/ chrome console says -
(failed) net::ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED !?

Any help ?

 MyResponse (curl):
    {
    "pools":[
      {
         "name":"default",
         "uri":"/pools/default?uuid=a1c8648a20577e61c1729dc4a9017ceb",
         "streamingUri":"/poolsStreaming/default?uuid=a1c8648a20577e61c1729dc4a9017ceb"
      }
    ],
    "isAdminCreds":true,
    "isROAdminCreds":false,
    "isEnterprise":true,
    "settings":{
      "maxParallelIndexers":"/settings/maxParallelIndexers?uuid=a1c8648a20577e61c1729dc4a9017ceb",
      "viewUpdateDaemon":"/settings/viewUpdateDaemon?uuid=a1c8648a20577e61c1729dc4a9017ceb"
    },
    "uuid":"a1c8648a20577e61c1729dc4a9017ceb",
    "implementationVersion":"3.0.2-1603-rel-enterprise",
    "componentsVersion":{
      "lhttpc":"1.3.0",
      "os_mon":"2.2.14",
      "public_key":"0.21",
      "asn1":"2.0.4",
      "couch":"2.1.1r-450-g19551d2",
      "kernel":"2.16.4",
      "syntax_tools":"1.6.12",
      "xmerl":"1.3.5",
      "ale":"3.0.2-1603-rel-enterprise",
      "couch_set_view":"2.1.1r-450-g19551d2",
      "compiler":"4.9.4",
      "inets":"5.9.7",
      "mapreduce":"1.0.0",
      "couch_index_merger":"2.1.1r-450-g19551d2",
      "ns_server":"3.0.2-1603-rel-enterprise",
      "oauth":"7d85d3ef",
      "crypto":"3.2",
      "ssl":"5.3.2",
      "sasl":"2.3.4",
      "mochiweb":"2.4.2",
      "stdlib":"1.19.4"
    }
    }

ingenthr · December 29, 2014, 7:04am

Okay, that indicates SSL is working properly. The reason Chrome complains is because the certificate is self signed, not issued by a known certificate authority. This is actually covered in the documentation, though not with specifics on chrome.

I too use Chrome and I know you can tell Chrome to accept the cert. If you click on “advanced” and then on “proceed…” you can go to the https port. You can click on the red https in the URL to view the certificate to verify. I’m fairly sure there’s a way to import the cert to Chrome too, but I’ve not done this myself.

This would be secure since you’d retrieve the cert over a safe channel, such as on the installed system over an ssh shell or the like, and then tell your browser to trust the cert. It’s similar to the curl instructions referenced in the docs above.

vumc · December 29, 2014, 8:06am

Actually the chrome says it differently:
Any couchbase SSL setup references greatly appreciated !?

But it runs fine for localhost:

vumc · December 30, 2014, 12:51pm

@daschl can you help me on this ?
Any couchbase SSL setup references greatly appreciated !?

vumc · January 3, 2015, 2:18am

Firefox Error:

vkhazin · January 5, 2015, 4:45pm

Something is not working as described:
I have installed couchbase-server-community_3.0.1-ubuntu12.04_amd64.deb
on Linux 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

On the admin portal can see there is a ssl certificate.

Accessing the portal using http://localhost:8091 works
Accessing the portal using https://localhost:18091 results in “This web page is not available” using Chrome.

telnet: Unable to connect to remote host: Connection refused

running ‘netstat -tuna’ in command line does not list port 18091 as being listen to.

EduardoCamargo · October 18, 2017, 10:13pm

no yet solution for this topic??