TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation #2964

raulmartinezr · 2020-06-24T09:59:57Z

raulmartinezr
Jun 24, 2020

Hi,

I try to configure client certificate authentication in the following scenario with couchDB 3.1.0

Server CouchDB
Client CouchDB where I configure bidirecctional replication, to and from server Couch DB (push+pull)

However, when everything seems to be well configured I see the following errors

Client side

   TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA

Server Side

    TLS server: In state certify received CLIENT ALERT: Fatal - Handshake Failure

It seems client does not trust server CA, but it should do. I reproduced the same connecttion with openssl and curl, and it's working in both cases

 sudo curl --url https://192.168.1.66:6984/database/  \
--key /opt/couchdb/etc/ssl/node-71.client.key.pem \
--cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
 --cacert /opt/couchdb/etc/ssl/ca-chain.cert.pem --insecure
{"error":"unauthorized","reason":"You are not authorized to access this db."}

sudo openssl s_client  -connect 192.168.1.66:6984 \
-key /opt/couchdb/etc/ssl/node-71.client.key.pem \
-cert /opt/couchdb/etc/ssl/node-71.client.cert.pem \
-CAfile /opt/couchdb/etc/ssl/ca-chain.cert.pem
CONNECTED(00000005)
....

Below relevant configuration in both sides, client and server
Remark: all certificates are signed by same intermediate CA (all have the same validation path) and both, root and intermediate CAs are included in /opt/couchdb/etc/ssl/ca-chain.cert.pem

Client

      [ssl]
      enable = true
      cert_file = /opt/couchdb/etc/ssl/node-71.server.cert.pem
      key_file = /opt/couchdb/etc/ssl/node-71.server.key.pem
      verify_ssl_certificates = true
      fail_if_no_peer_cert = false
      cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
      [replicator]
      cert_file = /opt/couchdb/etc/ssl/node-71.client.cert.pem
      key_file = /opt/couchdb/etc/ssl/node-71.client.key.pem
      ;# Avoid hostanme check failed
      verify_ssl_certificates = false
      ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
      ssl_certificate_max_depth = 5

Server

     [ssl]
     enable = true
     cert_file = /opt/couchdb/etc/ssl/node-66.server.cert.pem
     key_file = /opt/couchdb/etc/ssl/node-66.server.key.pem
     verify_ssl_certificates = true
     fail_if_no_peer_cert = true
     cacert_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem
     [replicator]
      cert_file = /opt/couchdb/etc/ssl/node-66.client.cert.pem
      key_file = /opt/couchdb/etc/ssl/node-66.client.key.pem
      verify_ssl_certificates = false
      ssl_trusted_certificates_file = /opt/couchdb/etc/ssl/ca-chain.cert.pem

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation #2964

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

TLS client: In state cipher received SERVER ALERT: Fatal - Unknown CA error enabling x509 cert auth for replcation #2964

Uh oh!

raulmartinezr Jun 24, 2020

Replies: 0 comments

raulmartinezr
Jun 24, 2020