- Enable jessie-backports, if not already enabled on your system. As described here:
echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null
aptitude update - Install
certbot
as described here:
sudo aptitude install certbot -t jessie-backports
- Configure a web server, so certbot can communicate with the outside world. I use lighttpd.
sudo aptitude install lighttpd
- Configure the web server to allow the couchdb user write access to the root directory.
sudo chown root:couchdb /var/www/html
sudo chmod g+rxw /var/www/html - Set up a directory to store your certificates:
sudo mkdir /etc/couchdb/letsencrypt
sudo chown couchdb.couchdb /etc/couchdb/letsencrypt
sudo chmod g+rwx /etc/couchdb/letsencrypt - Generate your initial SSL certificate:
sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d
Follow the prompts to configure certbot.
-
Configure CouchDB as described here. Edit
/etc/couchdb/local.ini
to match:[daemons]
httpsd = {couch_httpd, start_link, [https]}[ssl]
cert_file = /etc/letsencrypt/live//cert.pem
key_file = /etc/letsencrypt/live//privkey.pem
cacert_file = /etc/letsencrypt/live//chain.pem And probably disable HTTP, too, by editing
/etc/couchdb/default.ini
and commenting out the following line in the[daemons]
section:;httpd={couch_httpd, start_link, []}
- Test!
Visit
https://<hostname>:6984/_utils
, and verify thathttp://<hostname>:5984/_utils
does not work.
Why is lighttpd needed?
lighttpd is so that certbot can validate ownership of the host. You could use one of the other methods, such as `–standalone` if you prefer, but then you have to run certbot as root.