Configuring CouchDB 1.6.1 with LetsEncrypt free SSL certificate on Debian 8 (jessie)

  1. Enable jessie-backports, if not already enabled on your system. As described here:

    echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null
    aptitude update

  2. Install certbot as described here:

    sudo aptitude install certbot -t jessie-backports

  3. Configure a web server, so certbot can communicate with the outside world. I use lighttpd.

    sudo aptitude install lighttpd

  4. Configure the web server to allow the couchdb user write access to the root directory.

    sudo chown root:couchdb /var/www/html
    sudo chmod g+rxw /var/www/html

  5. Set up a directory to store your certificates:

    sudo mkdir /etc/couchdb/letsencrypt
    sudo chown couchdb.couchdb /etc/couchdb/letsencrypt
    sudo chmod g+rwx /etc/couchdb/letsencrypt

  6. Generate your initial SSL certificate:

    sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d

    Follow the prompts to configure certbot.

  7. Configure CouchDB as described here. Edit /etc/couchdb/local.ini to match:

    [daemons]
    httpsd = {couch_httpd, start_link, [https]}

    [ssl]
    cert_file = /etc/letsencrypt/live//cert.pem
    key_file = /etc/letsencrypt/live//privkey.pem
    cacert_file = /etc/letsencrypt/live//chain.pem

    And probably disable HTTP, too, by editing /etc/couchdb/default.ini and commenting out the following line in the [daemons] section:

    ;httpd={couch_httpd, start_link, []}

  8. Test!

    Visit https://<hostname>:6984/_utils, and verify that http://<hostname>:5984/_utils does not work.

2 Comments

  1. lighttpd is so that certbot can validate ownership of the host. You could use one of the other methods, such as `–standalone` if you prefer, but then you have to run certbot as root.

Leave a Reply

Your email address will not be published. Required fields are marked *