mne*_*dia 7 ssl couchdb lets-encrypt
我想做什么:
现在我使用的是自签名 SSL 证书,效果很好。但我想用官方的lets encrypt.
我有什么(自签名证书): 这是我现在拥有的 ssl 的重要设置 (local.ini) 的输出:
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /etc/couchdb/certs/server.crt // these are my self made certificates
key_file = /etc/couchdb/certs/server.key // these are my self made certificates
; set to true to validate peer certificates
verify_ssl_certificates = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1
我尝试过的(让加密):
按照让加密的文档之后,我有一个/etc/letsencrypt/live/[domain]包含以下文件的文件夹:
-cert.pem // seems to be the public certificate
-chain.pem // seems to be the public certificate from the keychain
-fullchain.pem // seems to be the cert.pem + chain.pem
-privkey.pem // seems to be the private certificate
所以我尝试用 local.ini 中的旧证书替换新证书
[ssl]
cert_file = /etc/letsencrypt/live/[domain]/cert.pem // new certificate
key_file = /etc/letsencrypt/live/[domain]/privkey.pem // new certificate
问题:
重新启动 CouchDB 后,非 SSL 方式端口 5984 仍然有效。但是使用端口 6984 上的 SSL,我得到了一个connection reset errorchrome。PS:我也为我的 nginx 使用了相同的 letencrypt 证书,它们在那里工作得很好。
有任何想法吗?
openssl调试信息:
1) 使用 SSL 和自签名证书,我得到了一份证书打印件和我输入的很多信息。
2) 没有 SSL 和 letencrypt openssl s_client -connect localhost:5984
CONNECTED(00000003)
140581663061872:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
3) 使用 SSL 和 letencrypt openssl s_client -connect localhost:6984
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
小智 6
使用沙发数据库 1.6.x
复制文件/etc/letsencrypt/archive/xxxx中/var/lib/couchdb/cert1/
检查 CouchDB 的访问权限
把下面的值放进去/usr/local/etc/couchdb/local.ini。请注意,以下文件夹与复制到的上述文件夹匹配。
cert_file = /var/lib/couchdb/cert1/cert1.pem
key_file = /var/lib/couchdb/cert1/privkey1.pem
cacert_file = /var/lib/couchdb/cert1/fullchain1.pem```
| 归档时间: |
|
| 查看次数: |
3203 次 |
| 最近记录: |