Verbally Flimzy

Ramblings, Observations and Misconceptions

Configuring CouchDB for HTTPS only

Posted on November 18, 2015

Getting CouchDB to work via HTTPS is fairly well documented. Disabling HTTP turned out to be the harder part to figure out.

Enabling HTTPS

The official documentation (here is actually incomplete (or more likely, simply outdated). But it’s still a pretty straight forward process. Edit your local.ini to include the following:

`[daemons]
httpsd = {couch_httpd, start_link, [https]}` 

`[ssl]
cert_file = /etc/ssl/private/server.crt
key_file = /etc/ssl/private/server.key
cacert_file = /etc/ssl/private/cacert.pem` 

Of course you'll need valid certificate, key, and CA cert files, signed by an official certificate authority, or a self-signed certificate.  How to obtain these is beyond the scope of this document, but Google will give you countless versions of the necessary instructions appropriate for your operating system.

Disabling HTTP
--------------

I spent a while Googling this one, and finally stumbled upon an obscure mailing list post with the answer.  Edit `default.ini` and comment out the following line, found in the `[daemons]` section:

;httpd={couch_httpd, start_link, []}


Restart, test
-------------

Restart the server, and test:

curl http://localhost:5984/

curl: (7) Failed to connect to localhost port 5984: Connection refused


Good, HTTP is disabled.

curl https://localhost:6984/

curl: (51) SSL: no alternative certificate subject name matches target host name ’localhost'


And HTTPS is working, although with a certificate that doesn't identify itself as 'localhost'. If I substitute the proper domain name, I get full success:

curl https://realhostname.com:6984/

{“couchdb”:“Welcome”,“uuid”:“a176f89954c3ddba7aa592d712c25140”,“version”:“1.6.1”,“vendor”:{“name”:“The Apache Software Foundation”,“version”:“1.6.1”}}

Filed under: couchdb database https Linux nosql security ssl