diff options
author | Dirkjan Ochtman <djc@apache.org> | 2013-05-20 08:53:25 +0200 |
---|---|---|
committer | Dirkjan Ochtman <djc@apache.org> | 2013-05-20 08:53:25 +0200 |
commit | 00520c3639db9ac4ee9b137cb82085168738719e (patch) | |
tree | 76a8d3ae95228b51b9f1d70ecae68775cd86777a | |
parent | 7ba4c738114c025e245bc95ea61ba9779c1f3985 (diff) | |
download | couchdb-00520c3639db9ac4ee9b137cb82085168738719e.tar.gz |
docs: move section on SSL support into configuration chapter
-rw-r--r-- | share/doc/src/configuring.rst | 98 | ||||
-rw-r--r-- | share/doc/src/index.rst | 1 | ||||
-rw-r--r-- | share/doc/src/ssl.rst | 109 |
3 files changed, 98 insertions, 110 deletions
diff --git a/share/doc/src/configuring.rst b/share/doc/src/configuring.rst index 168a51f8e..c364417e6 100644 --- a/share/doc/src/configuring.rst +++ b/share/doc/src/configuring.rst @@ -185,3 +185,101 @@ see :ref:`http-proxying`. For further background on the OS Daemon service, see `CouchDB Externals API`_. .. _CouchDB Externals API: http://davispj.com/2010/09/26/new-couchdb-externals-api.html + +Native SSL Support +================== + +CouchDB |version| supports SSL natively. All your secure connection needs can +now be served without needing to setup and maintain a separate proxy server +that handles SSL. + +SSL setup can be tricky, but the configuration in CouchDB was designed +to be as easy as possible. All you need is two files; a certificate and +a private key. If you bought an official SSL certificate from a +certificate authority, both should be in your possession already. + +If you just want to try this out and don't want to pay anything upfront, +you can create a self-signed certificate. Everything will work the same, +but clients will get a warning about an insecure certificate. + +You will need the OpenSSL command line tool installed. It probably +already is. + +:: + + shell> mkdir cert && cd cert + shell> openssl genrsa > privkey.pem + shell> openssl req -new -x509 -key privkey.pem -out mycert.pem -days 1095 + shell> ls + mycert.pem privkey.pem + +Now, you need to edit CouchDB's configuration, either by editing your +``local.ini`` file or using the ``/_config`` API calls or the +configuration screen in Futon. Here is what you need to do in +``local.ini``, you can infer what needs doing in the other places. + +Be sure to make these edits. Under ``[daemons]`` you should see: + +:: + + ; enable SSL support by uncommenting the following line and supply the PEM's below. + ; the default ssl port CouchDB listens on is 6984 + ;httpsd = {couch_httpd, start_link, [https]} + +Here uncomment the last line: + +:: + + httpsd = {couch_httpd, start_link, [https]} + +Next, under ``[ssl]`` you will see: + +:: + + ;cert_file = /full/path/to/server_cert.pem + ;key_file = /full/path/to/server_key.pem + +Uncomment and adjust the paths so it matches your system's paths: + +:: + + cert_file = /home/jan/cert/mycert.pem + key_file = /home/jan/cert/privkey.pem + +For more information please read +`http://www.openssl.org/docs/HOWTO/certificates.txt`_. + +Now start (or restart) CouchDB. You should be able to connect to it +using HTTPS on port 6984: + +:: + + shell> curl https://127.0.0.1:6984/ + curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: + error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed + More details here: http://curl.haxx.se/docs/sslcerts.html + + curl performs SSL certificate verification by default, using a "bundle" + of Certificate Authority (CA) public keys (CA certs). If the default + bundle file isn't adequate, you can specify an alternate file + using the --cacert option. + If this HTTPS server uses a certificate signed by a CA represented in + the bundle, the certificate verification probably failed due to a + problem with the certificate (it might be expired, or the name might + not match the domain name in the URL). + If you'd like to turn off curl's verification of the certificate, use + the -k (or --insecure) option. + +Oh no what happened?! — Remember, clients will notify their users that +your certificate is self signed. ``curl`` is the client in this case and +it notifies you. Luckily you trust yourself (don't you?) and you can +specify the ``-k`` option as the message reads: + +:: + + shell> curl -k https://127.0.0.1:6984/ + {"couchdb":"Welcome","version":"|version|"} + +All done. + +.. _`http://www.openssl.org/docs/HOWTO/certificates.txt`: http://www.openssl.org/docs/HOWTO/certificates.txt diff --git a/share/doc/src/index.rst b/share/doc/src/index.rst index 63cc94f05..c8b47496e 100644 --- a/share/doc/src/index.rst +++ b/share/doc/src/index.rst @@ -31,7 +31,6 @@ Contents api-basics pretty_urls configuring - ssl http-proxying config_reference replication diff --git a/share/doc/src/ssl.rst b/share/doc/src/ssl.rst deleted file mode 100644 index 3a546d877..000000000 --- a/share/doc/src/ssl.rst +++ /dev/null @@ -1,109 +0,0 @@ -.. Licensed under the Apache License, Version 2.0 (the "License"); you may not -.. use this file except in compliance with the License. You may obtain a copy of -.. the License at -.. -.. http://www.apache.org/licenses/LICENSE-2.0 -.. -.. Unless required by applicable law or agreed to in writing, software -.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -.. License for the specific language governing permissions and limitations under -.. the License. - -Native SSL Support -================== - -CouchDB |version| supports SSL natively. All your secure connection needs can -now be served without needing to setup and maintain a separate proxy server -that handles SSL. - -SSL setup can be tricky, but the configuration in CouchDB was designed -to be as easy as possible. All you need is two files; a certificate and -a private key. If you bought an official SSL certificate from a -certificate authority, both should be in your possession already. - -If you just want to try this out and don't want to pay anything upfront, -you can create a self-signed certificate. Everything will work the same, -but clients will get a warning about an insecure certificate. - -You will need the OpenSSL command line tool installed. It probably -already is. - -:: - - shell> mkdir cert && cd cert - shell> openssl genrsa > privkey.pem - shell> openssl req -new -x509 -key privkey.pem -out mycert.pem -days 1095 - shell> ls - mycert.pem privkey.pem - -Now, you need to edit CouchDB's configuration, either by editing your -``local.ini`` file or using the ``/_config`` API calls or the -configuration screen in Futon. Here is what you need to do in -``local.ini``, you can infer what needs doing in the other places. - -Be sure to make these edits. Under ``[daemons]`` you should see: - -:: - - ; enable SSL support by uncommenting the following line and supply the PEM's below. - ; the default ssl port CouchDB listens on is 6984 - ;httpsd = {couch_httpd, start_link, [https]} - -Here uncomment the last line: - -:: - - httpsd = {couch_httpd, start_link, [https]} - -Next, under ``[ssl]`` you will see: - -:: - - ;cert_file = /full/path/to/server_cert.pem - ;key_file = /full/path/to/server_key.pem - -Uncomment and adjust the paths so it matches your system's paths: - -:: - - cert_file = /home/jan/cert/mycert.pem - key_file = /home/jan/cert/privkey.pem - -For more information please read -`http://www.openssl.org/docs/HOWTO/certificates.txt`_. - -Now start (or restart) CouchDB. You should be able to connect to it -using HTTPS on port 6984: - -:: - - shell> curl https://127.0.0.1:6984/ - curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - More details here: http://curl.haxx.se/docs/sslcerts.html - - curl performs SSL certificate verification by default, using a "bundle" - of Certificate Authority (CA) public keys (CA certs). If the default - bundle file isn't adequate, you can specify an alternate file - using the --cacert option. - If this HTTPS server uses a certificate signed by a CA represented in - the bundle, the certificate verification probably failed due to a - problem with the certificate (it might be expired, or the name might - not match the domain name in the URL). - If you'd like to turn off curl's verification of the certificate, use - the -k (or --insecure) option. - -Oh no what happened?! — Remember, clients will notify their users that -your certificate is self signed. ``curl`` is the client in this case and -it notifies you. Luckily you trust yourself (don't you?) and you can -specify the ``-k`` option as the message reads: - -:: - - shell> curl -k https://127.0.0.1:6984/ - {"couchdb":"Welcome","version":"|version|"} - -All done. - -.. _`http://www.openssl.org/docs/HOWTO/certificates.txt`: http://www.openssl.org/docs/HOWTO/certificates.txt |