Configuring CouchDB 1.6.1 with LetsEncrypt free SSL certificate on Debian 8 (jessie)
Posted on February 17, 2017
-
Enable jessie-backports, if not already enabled on your system. As described here:
echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null aptitude update
-
Install
certbot
as described here:sudo aptitude install certbot -t jessie-backports
-
Configure a web server, so certbot can communicate with the outside world. I use lighttpd.
sudo aptitude install lighttpd
-
Configure the web server to allow the couchdb user write access to the root directory.
sudo chown root:couchdb /var/www/html sudo chmod g+rxw /var/www/html
-
Set up a directory to store your certificates:
sudo mkdir /etc/couchdb/letsencrypt sudo chown couchdb.couchdb /etc/couchdb/letsencrypt sudo chmod g+rwx /etc/couchdb/letsencrypt
-
Generate your initial SSL certificate:
sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d
Follow the prompts to configure certbot.
-
Configure CouchDB as described here. Edit
/etc/couchdb/local.ini
to match:[daemons] httpsd = {couch_httpd, start_link, [https]} [ssl] cert_file = /etc/letsencrypt/live//cert.pem key_file = /etc/letsencrypt/live//privkey.pem cacert_file = /etc/letsencrypt/live//chain.pem
And probably disable HTTP, too, by editing
/etc/couchdb/default.ini
and commenting out the following line in the[daemons]
section:;httpd={couch_httpd, start_link, []}
-
Test!
Visit
https://<hostname>:6984/_utils
, and verify thathttp://<hostname>:5984/_utils
does not work.
Filed under: Linux