Error opening bucket #bucketName: failed to connect to any of the specified hosts ( Sync Gateway authentication against couchbase server using X.509 certificate)

Puja_Sharma · July 13, 2020, 10:15am

{
“interface”:":4984",
“logging”: {
“log_file_path”: “C:/Program Files/Couchbase/Sync Gateway/var/lib/couchbase/logs/sg_logs”,
“console”: {
“enabled”: true,
“log_level”: “info”,
“log_keys”: [
“*”
]
}
},
“databases”:{
“db”:{
“use_views”: true,
“cacertpath”: “C:/Program Files/servercertfiles/ca.pem”,
“certpath”: “C:/Program Files/servercertfiles/clientcertfiles/seedata.pem”,
“keypath”: “C:/Program Files/servercertfiles/clientcertfiles/seedata.key”,
“server”: “couchbases://127.0.0.1”,
“bucket”: “CR_SeeData”,
“username”: “sync_gateway”
}
}

}

this is the sync-gateway-config.json file that I am using to authenticate. but I am getting following error:
[INF] GoCBCustomSGTranscoder Opening Couchbase database CR_SeeData on couchbases://127.0.0.1 as user “sync_gateway”
2020-07-13T15:38:20.566+05:30 [INF] Error opening bucket CR_SeeData: failed to connect to any of the specified hosts

sridevi.saragadam · July 13, 2020, 7:15pm

@Puja_Sharma,
When you use x509 certs, there are couple of things which need to follow.
Can you make sure certs which generated are valid ones?
Also, you need to make sure the time stamp /clocks are in sync with couchbase server and sync gateway and the host where you generated the certs. If they are not in sync, certs will be treated as expired

Can you also make sure the certs path and key path mentioned in the config are in right directory

Puja_Sharma · July 14, 2020, 5:10am

@sridevi.saragadam ,
I generated the certs using openssl ,
followed the commands from the links below
https://docs.couchbase.com/sync-gateway/2.7/security.html#x-509-certificates
-create root ,node certificate and enable client certificate authentication.

sridevi.saragadam · July 14, 2020, 6:33am

@Puja_Sharma, I see that there is no password provided in sync gateway config file for the bucket.Hope you created the bucket in the server without password. If you created bucket with password, please provide the password for the bucket on sync gateway config file

Also, looks like you have deployed server and sync gateway on the same host. Were you able to access server from the host where sync gateway is deployed using the url , http://localhost:8091

Puja_Sharma · July 14, 2020, 7:13am

@sridevi.saragadam
I created bucket without password.Only I created a user with full admin access .
Yes I was able to access server from host where sync_gateway is deployed using http://localhost:8091

manasa · July 14, 2020, 6:49pm

Please verify if you are able to connect to sync gateway without the x509 certs , if that works please make sure you followed the below documented steps on couchbase too( clientCertAuth is enable and or not )
https://docs.couchbase.com/server/5.5/security/security-x509certsintro.html#configuring-x.509. If you use the Syncgatway 2.7 you will be able to see more information in logs . Please share debug log messages as well.

Puja_Sharma · July 15, 2020, 5:34am

@manasa
I am able to connect without x.509 certs
2020-07-15T11:00:10.091+05:30 [INF] Starting admin server on 127.0.0.1:4985
2020-07-15T11:00:10.092+05:30 [INF] Starting server on :4984 …
2020-07-15T11:00:10.095+05:30 [INF] CBGoUtilsLogger: Using plain authentication for user sync_gateway
2020-07-15T11:00:10.125+05:30 [INF] DCP: Backfill in progress: 13% (2 / 15)

the configuration file is below:
{
“adminInterface”: “127.0.0.1:4985”,
“interface”: “:4984”,
“logging”: {
“log_file_path”: “C:/Program Files/Couchbase/Sync Gateway/var/lib/couchbase/logs/sg_logs”,
“console”: {
“enabled”: true,
“log_level”: “info”,
“log_keys”: [
“"
]
}
},
“databases”: {
“db”: {
“bucket”: "”,
“server”: “http://127.0.0.1:8091”,
“username”:“sync_gateway”,
“password”:"**********",
“use_views”: true,
“enable_shared_bucket_access”: true,
“import_docs”: true,
“num_index_replicas”: 0,
“allow_conflicts”: false,
“revs_limit”: 20
}
}
}

clientCertAuth is also enabled:

Puja_Sharma · July 15, 2020, 5:54am

sg_error

2020-07-15T11:19:57.553+05:30 ==== Couchbase Sync Gateway/2.7.1(5;a08bf70) CE ====
2020-07-15T11:19:57.557+05:30 ==== Couchbase Sync Gateway/2.7.1(5;a08bf70) CE ====
2020-07-15T11:20:39.027+05:30 [ERR] Error opening database db: 502 Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port. Detailed error: failed to connect to any of the specified hosts – rest.RunServer() at config.go:1028

sg_warn
2020-07-15T11:19:57.553+05:30 ==== Couchbase Sync Gateway/2.7.1(5;a08bf70) CE ====
2020-07-15T11:19:57.557+05:30 ==== Couchbase Sync Gateway/2.7.1(5;a08bf70) CE ====
2020-07-15T11:20:39.027+05:30 [WRN] RetryLoop for Attempt to connect to bucket : CR_SeeData giving up after 14 attempts – base.RetryLoop() at util.go:376
2020-07-15T11:20:39.027+05:30 [ERR] Error opening database db: 502 Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port. Detailed error: failed to connect to any of the specified hosts – rest.RunServer() at config.go:1028

bbrks · July 16, 2020, 8:34am

Please ensure all of the TCP ports listed for Encrypted traffic are opened between Sync Gateway and Couchbase Server:

Client-to-node
Unencrypted : 8091-8096, 9140, 11210, 11211
Encrypted : 11207, 18091-18096