I need a help to correctly set the ssl connection between the client (an asp.net core 5 web api) and the couchbase server ( Couchbase Server Enterprise Edition 7.0.2 build 6703).
The server is equiped with a certificate signed by the internal sub-CA of the client. The sub-ca is signed by the internal root ca.
So, I’m expecting to just install the sub-ca and the root ca public certificates in the docker container and then the sdk communication runs on ssl.
But looking at the documentation Managing Connections using the .NET SDK with Couchbase Server | Couchbase Docs, I notice that it’s the server certificate that should be installed in the docker container: " … Navigate in the admin UI to Settings Cluster and copy the input box of the TLS certificate into a file on your machine (which we will refer to as cluster.cert). It looks similar to this: …
It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH or through a similar secure mechanism."
I’ve tried to save the three certificate as crt and to install them on the docker image like this:
ADD st-couchbase.crt /usr/local/share/ca-certificates/st-couchbase.crt
ADD SAIPEM-SUBCA.crt /usr/local/share/ca-certificates/SAIPEM-SUBCA.crt
ADD SAIPEM-ROOTCA.crt /usr/local/share/ca-certificates/SAIPEM-ROOTCA.crt
RUN chmod 644 /usr/local/share/ca-certificates/st-couchbase.crt
RUN chmod 644 /usr/local/share/ca-certificates/SAIPEM-SUBCA.crt
RUN chmod 644 /usr/local/share/ca-certificates/SAIPEM-ROOTCA.crt
but the cluster doesn’t bootstrap. I confirm that I find the three certificates in the etc/ssl/certs folder.
The error is “Cluster has not yet bootstrapped. Call WaitUntilReadyAsync(…) to wait for it to complete.'”
My questions are:
- It’s correct to install on the docker image the server certificate? If yes, obviously is the public certificate, is it correct? My doubt is related to the sentence “It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH or through a similar secure mechanism.”
- Is it mandatory to execute the command dpkg-reconfigure ca-certificates? Once executed all the content of etc/ssl/certs disappears and it remains just the three certificates and some few other files
- How can I WaitUntilReadyAsync using the dependency injection?
- Any other settings must be done to correctly apply the ssl connection?