RemoteCertificateNameMismatch error when using SSL

.net

#1

I’m currently trying to get SSL working between our Couchbase client and server, but failing after several hours of trial and error and searching the net. So I’m hoping someone here can help. I have thoroughly followed the instructions here:
http://developer.couchbase.com/documentation/server/4.1/sdks/dotnet-2.2/configuring-ssl.html

My setup:
Client:
ASP.NET WebForms application, .NET 4.5, VB.net (not my choice ;))
Couchbase .Net Client SDK v2.2.5
Couchbase AspNet 2.0.0-beta2 (I’m using the CouchbaseSessionStateProvider)

Server:
Couchbase Server v4.1.0-5005 Enterprise Edition

Config:

<couchbase useSsl="true"> // Everything works if I disable SSL
  <servers>
    <add uri="https://<hostname>:8091/pools"></add> // Have tried both http and https
  </servers>
  <buckets>
    <add name="<bucketname>" password="<password>"></add>
  </buckets>
</couchbase>

  <sessionState mode="Custom" customProvider="MySessionStateProvider">
    <providers>
      <add name="MySessionStateProvider"
           type="<namespace>.MySessionStateProvider, <assembly>"
           factory="<namespace>.MySessionBucketFactory, <assembly>" />
    </providers>
  </sessionState>

The only thing MySessionStateProvider does is set headerPrefix and dataPrefix then calling base.

MySessionBucketFactory basically does this (error handling etc omitted):

Public Function GetBucket(providerName As String, config As NameValueCollection) As IBucket Implements ICouchbaseBucketFactory.GetBucket
Dim cluster = ClusterHelper.Get()
Dim bucketName = cluster.Configuration.BucketConfigs.Single().Value.BucketName
Return ClusterHelper.GetBucket(bucketName)
End Function

If SSL is enabled, I get an exception on ClusterHelper.GetBucket. Tracing shows the following (anonymized):

w3wp.exe Information: 0 : 2016-02-25 12:40:26 [INFO]  Couchbase.Cluster - Version: 2.2.5.0
w3wp.exe Information: 0 : 2016-02-25 12:40:26 [INFO]  Couchbase.Cluster - Configuration: {"QueryFailedThreshold":0,"QueryRequestTimeout":75000,"NodeAvailableCheckInterval":1000,"EnableTcpKeepAlives":true,"TcpKeepAliveTime":7200000,"TcpKeepAliveInterval":1000,"IOErrorThreshold":10,"IOErrorCheckInterval":500,"UseSsl":true,"SslPort":11207,"ApiPort":8092,"MgmtPort":8091,"DirectPort":11210,"HttpsMgmtPort":18091,"HttpsApiPort":18092,"ObserveTimeout":500,"ObserveInterval":2,"MaxViewRetries":2,"ViewHardTimeout":30000,"Servers":["https://ServerHostname:18091/pools"],"SerializationSettings":{"ReferenceLoopHandling":0,"MissingMemberHandling":0,"ObjectCreationHandling":0,"NullValueHandling":0,"DefaultValueHandling":0,"Converters":[],"PreserveReferencesHandling":0,"TypeNameHandling":0,"MetadataPropertyHandling":0,"TypeNameAssemblyFormat":0,"ConstructorHandling":0,"ContractResolver":{"DynamicCodeGeneration":true,"DefaultMembersSearchFlags":20,"SerializeCompilerGeneratedMembers":false,"IgnoreSerializableInterface"
:false,"IgnoreSerializableAttribute":true},"ReferenceResolver":null,"TraceWriter":null,"Binder":null,"Error":null,"Context":{"Context":null,"State":0},"DateFormatString":"yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK","MaxDepth":null,"Formatting":0,"DateFormatHandling":0,"DateTimeZoneHandling":3,"DateParseHandling":1,"FloatFormatHandling":0,"FloatParseHandling":0,"StringEscapeHandling":0,"Culture":"(Default)","CheckAdditionalContent":false},"DeserializationSettings":{"ReferenceLoopHandling":0,"MissingMemberHandling":0,"ObjectCreationHandling":0,"NullValueHandling":0,"DefaultValueHandling":0,"Converters":[],"PreserveReferencesHandling":0,"TypeNameHandling":0,"MetadataPropertyHandling":0,"TypeNameAssemblyFormat":0,"ConstructorHandling":0,"ContractResolver":{"DynamicCodeGeneration":true,"DefaultMembersSearchFlags":20,"SerializeCompilerGeneratedMembers":false,"IgnoreSerializableInterface":false,"IgnoreSerializableAttribute":true},"ReferenceResolver":null,"TraceWriter":null,"Binder":null,"Error":null,"Context":{"Context":
null,"State":0},"DateFormatString":"yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK","MaxDepth":null,"Formatting":0,"DateFormatHandling":0,"DateTimeZoneHandling":3,"DateParseHandling":1,"FloatFormatHandling":0,"FloatParseHandling":0,"StringEscapeHandling":0,"Culture":"(Default)","CheckAdditionalContent":false},"BucketConfigs":{"BucketName":{"UseEnhancedDurability":false,"UseSsl":true,"Servers":["https://ServerHostname:18091/pools"],"Port":11207,"BucketName":"BucketName","Password":"Password","Username":"","PoolConfiguration":{"EnableTcpKeepAlives":true,"TcpKeepAliveTime":7200000,"TcpKeepAliveInterval":1000,"MaxSize":2,"MinSize":1,"WaitTimeout":2500,"MaxAcquireIterationCount":5,"RecieveTimeout":2500,"ShutdownTimeout":10000,"OperationTimeout":2500,"UseSsl":true,"SendTimeout":15000,"ConnectTimeout":10000,"MaxCloseAttempts":5,"CloseAttemptInterval":100,"EnableOperationTiming":false,"BufferSize":16384,"LockAttributes":[],"LockAllAttributesExcept":[],"LockElements":[],"LockAllElementsExcept":[],"Lock
Item":false,"ElementInformation":{"Properties":[],"IsPresent":false,"IsLocked":false,"IsCollection":false,"Source":null,"LineNumber":0,"Type":"Couchbase.Configuration.Client.PoolConfiguration, Couchbase.NetClient, Version=2.2.5.0, Culture=neutral, PublicKeyToken=05e9c6b5a9ec94c2","Validator":{},"Errors":[]},"CurrentConfiguration":null},"ObserveTimeout":500,"ObserveInterval":2,"DefaultOperationLifespan":2500}},"PoolConfiguration":{"EnableTcpKeepAlives":true,"TcpKeepAliveTime":7200000,"TcpKeepAliveInterval":1000,"MaxSize":2,"MinSize":1,"WaitTimeout":2500,"MaxAcquireIterationCount":5,"RecieveTimeout":2500,"ShutdownTimeout":10000,"OperationTimeout":2500,"UseSsl":true,"SendTimeout":15000,"ConnectTimeout":10000,"MaxCloseAttempts":5,"CloseAttemptInterval":100,"EnableOperationTiming":false,"BufferSize":16384,"LockAttributes":[],"LockAllAttributesExcept":[],"LockElements":[],"LockAllElementsExcept":[],"LockItem":false,"ElementInformation":{"Properties":[],"IsPresent":false,"IsLocked":false,"IsCollection":false,"Source"
:null,"LineNumber":0,"Type":"Couchbase.Configuration.Client.PoolConfiguration, Couchbase.NetClient, Version=2.2.5.0, Culture=neutral, PublicKeyToken=05e9c6b5a9ec94c2","Validator":{},"Errors":[]},"CurrentConfiguration":null},"HeartbeatConfigInterval":10000.0,"ViewRequestTimeout":75000,"DefaultConnectionLimit":5,"MaxServicePointIdleTime":1000,"Expect100Continue":false,"EnableConfigHeartBeat":true,"EnableOperationTiming":false,"BufferSize":0,"DefaultOperationLifespan":2500}

2016-02-25 12:40:27 [DEBUG] Couchbase.Core.ClusterController - Trying to bootstrap with Couchbase.Configuration.Server.Providers.CarrierPublication.CarrierPublicationProvider.
2016-02-25 12:40:27 [DEBUG] Couchbase.Configuration.Server.Providers.ConfigProviderBase - Getting config for bucket BucketName
2016-02-25 12:40:27 [DEBUG] Couchbase.Configuration.Server.Providers.ConfigProviderBase - Bootstrapping with ServerIP:11207
2016-02-25 12:40:27 [DEBUG] Couchbase.IO.Services.PooledIOService - Creating PooledIOService b610f1b9-0ffe-44b1-b24f-21544043824b

w3wp.exe Information: 0 : 2016-02-25 12:40:27 [INFO]  Couchbase.IO.ConnectionPool`1[[Couchbase.IO.IConnection, Couchbase.NetClient, Version=2.2.5.0, Culture=neutral, PublicKeyToken=05e9c6b5a9ec94c2]] - Trying to acquire new connection!
w3wp.exe Warning: 0 : 2016-02-25 12:40:27 [WARN]  Couchbase.IO.ConnectionBase - Starting SSL encryption on ServerIP
w3wp.exe Information: 0 : 2016-02-25 12:40:27 [INFO]  Couchbase.IO.ConnectionBase - Validating certificate: RemoteCertificateNameMismatch

w3wp.exe Error: 0 : 2016-02-25 12:40:27 [ERROR] SaslFactory - System.NullReferenceException: Object reference not set to an instance of an object.
   at Couchbase.IO.ConnectionPool`1.Acquire()
   at Couchbase.IO.ConnectionPool`1.Couchbase.IO.IConnectionPool.Acquire()
   at Couchbase.Authentication.SASL.SaslFactory.<>c.<GetFactory>b__2_0(String username, String password, IIOService service, ITypeTranscoder transcoder)
   
2016-02-25 12:40:27 [DEBUG] Couchbase.Configuration.Server.Providers.ConfigProviderBase - Bootstrapping with ServerIP:11207 failed.

w3wp.exe Warning: 0 : 2016-02-25 12:40:27 [WARN]  Couchbase.Configuration.Server.Providers.ConfigProviderBase - System.NullReferenceException: Object reference not set to an instance of an object.
   at Couchbase.IO.ConnectionPool`1.Acquire()
   at Couchbase.IO.ConnectionPool`1.Couchbase.IO.IConnectionPool.Acquire()
   at Couchbase.IO.Services.PooledIOService.Execute[T](IOperation`1 operation)
   at Couchbase.Configuration.Server.Providers.CarrierPublication.CarrierPublicationProvider.GetConfig(String bucketName, String password)
   
2016-02-25 12:40:27 [DEBUG] Couchbase.IO.Services.PooledIOService - Disposing PooledIOService for ServerIP:11207 - b610f1b9-0ffe-44b1-b24f-21544043824b
2016-02-25 12:40:27 [DEBUG] Couchbase.IO.ConnectionPool`1[[Couchbase.IO.IConnection, Couchbase.NetClient, Version=2.2.5.0, Culture=neutral, PublicKeyToken=05e9c6b5a9ec94c2]] - Disposing ConnectionPool for ServerIP:11207 - ea826dc8-898a-44be-9a7e-c11c9d9790cf

w3wp.exe Warning: 0 : 2016-02-25 12:40:27 [WARN]  Couchbase.Core.ClusterController - System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Couchbase.IO.ConnectionPool`1.Acquire()
   at Couchbase.IO.ConnectionPool`1.Couchbase.IO.IConnectionPool.Acquire()
   at Couchbase.IO.Services.PooledIOService.Execute[T](IOperation`1 operation)
   at Couchbase.Configuration.Server.Providers.CarrierPublication.CarrierPublicationProvider.GetConfig(String bucketName, String password)
   --- End of inner exception stack trace ---
   at Couchbase.Configuration.Server.Providers.CarrierPublication.CarrierPublicationProvider.GetConfig(String bucketName, String password)
   at Couchbase.Core.ClusterController.CreateBucket(String bucketName, String password)
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
   at Couchbase.IO.ConnectionPool`1.Acquire()
   at Couchbase.IO.ConnectionPool`1.Couchbase.IO.IConnectionPool.Acquire()
   at Couchbase.IO.Services.PooledIOService.Execute[T](IOperation`1 operation)
   at Couchbase.Configuration.Server.Providers.CarrierPublication.CarrierPublicationProvider.GetConfig(String bucketName, String password)<---

2016-02-25 12:40:27 [DEBUG] Couchbase.Core.ClusterController - Trying to bootstrap with Couchbase.Configuration.Server.Providers.Streaming.HttpStreamingProvider.

w3wp.exe Information: 0 : 2016-02-25 12:40:27 [INFO]  Couchbase.Configuration.Server.Providers.Streaming.HttpServerConfig - Bootstrapping from https://ServerHostname:18091/pools
w3wp.exe Error: 0 : 2016-02-25 12:40:27 [ERROR] Couchbase.Configuration.Server.Providers.Streaming.HttpServerConfig - Bootstrapping failed from https://ServerHostname:18091/pools: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
   at System.Net.WebClient.DownloadString(Uri address)
   at Couchbase.Configuration.Server.Providers.Streaming.HttpServerConfig.DownLoadConfig[T](Uri uri)
   at Couchbase.Configuration.Server.Providers.Streaming.HttpServerConfig.DownloadConfigs(Uri server)

   w3wp.exe Warning: 0 : 2016-02-25 12:40:27 [WARN]  Couchbase.Core.ClusterController - Couchbase.Configuration.Server.Serialization.BootstrapException: Could not bootstrap from configured servers list.
   at Couchbase.Configuration.Server.Providers.Streaming.HttpServerConfig.Initialize()
   at Couchbase.Configuration.Server.Providers.Streaming.HttpStreamingProvider.StartProvider(String username, String password)
   at Couchbase.Configuration.Server.Providers.Streaming.HttpStreamingProvider.GetConfig(String bucketName, String password)
   at Couchbase.Core.ClusterController.CreateBucket(String bucketName, String password)

#2

That is your error. The reason is that in <= 2.2.5 the SDK doesn’t support fully qualified domain names; this is patched in 2.2.6 scheduled for release next week: https://issues.couchbase.com/browse/NCBC-981

The work around is to use the IP instead of FQDN, If you are using the IP, then I suggest re-installing the certificate on your application server.

-Jeff


#3

Thank you Jeff! Even though I haven’t yet tried the IP workaround, it sure sounds like this is the problem.

/Mathias