Verbally Flimzy

Ramblings, Observations and Misconceptions

Configuring CouchDB 1.6.1 with LetsEncrypt free SSL certificate on Debian 8 (jessie)

Posted on February 17, 2017

  1. Enable jessie-backports, if not already enabled on your system. As described here:

    echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null aptitude update

  2. Install certbot as described here:

    sudo aptitude install certbot -t jessie-backports

  3. Configure a web server, so certbot can communicate with the outside world. I use lighttpd.

    sudo aptitude install lighttpd

  4. Configure the web server to allow the couchdb user write access to the root directory.

    sudo chown root:couchdb /var/www/html sudo chmod g+rxw /var/www/html

  5. Set up a directory to store your certificates:

    sudo mkdir /etc/couchdb/letsencrypt sudo chown couchdb.couchdb /etc/couchdb/letsencrypt sudo chmod g+rwx /etc/couchdb/letsencrypt

  6. Generate your initial SSL certificate:

    sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d

    Follow the prompts to configure certbot.

  7. Configure CouchDB as described here. Edit /etc/couchdb/local.ini to match:

    [daemons] httpsd = {couch_httpd, start_link, [https]} [ssl] cert_file = /etc/letsencrypt/live//cert.pem key_file = /etc/letsencrypt/live//privkey.pem cacert_file = /etc/letsencrypt/live//chain.pem

    And probably disable HTTP, too, by editing /etc/couchdb/default.ini and commenting out the following line in the [daemons] section:

    ;httpd={couch_httpd, start_link, []}

  8. Test!

    Visit https://<hostname>:6984/_utils, and verify that http://<hostname>:5984/_utils does not work.

Filed under: Linux