-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster setup API does not support adding nodes via SSL #783
Comments
At the moment, the Cluster Setup API doesn't officially support SSL connections - meaning we haven't tested that configuration. It's really a shortcut to help people who haven't learned the manual process, and isn't intended to cover all cases. As a workaround, you should be able to join the cluster together by following the manual process for adding nodes as described here: http:https://docs.couchdb.org/en/2.1.0/cluster/nodes.html Once all nodes have been added, you'll then need to manually create the system databases ( One thing to watch out for is that as you create the admin user on every node independently, you'll need to be sure that the ini file contains the identical hashed password on each node if you expect sessions to work correctly with the entire cluster residing behind a load balancer. |
Thank you wohali for the fast reply and followup information.
I probably don't understand the cluster architecture well enough, so sorry for any misunderstanding on my part. |
CouchDB doesn't sync between nodes via the HTTP interface. Instead, it uses the Erlang distribution mechanism, which is managed via the Erlang port mapper daemon (epmd). This traffic occurs on dynamically allocated ports, the range of which can be altered. We describe the options necessary for constraining the epmd port range here: http:https://docs.couchdb.org/en/2.1.0/cluster/setup.html To encrypt this traffic as well is beyond the scope of our installation docs. You can read more about the process here: https://www.erlang-solutions.com/blog/erlang-distribution-over-tls.html |
Thank you VERY much for the help. That makes it all clear. I will work through the Erlang documentation to secure the port (e.g.: 9100) PS: I would never get such faster and specific support from a vendor. Hat's off to your team! |
This was wrong, instead SEE BELOW: #783 (comment) |
good point. Thanks for the tip! |
If anyone is interested, I figured out how to get ports 9100 ( through 9200) using SSL. local.ini
vm.args
To verify a port is secure I used the following command:
|
Just to add to wohali statement
You also need to make sure that the secret is also the same on all the nodes if you are using cookie authentication. [couch_httpd_auth] |
I want to revise my advice on the |
The fix for this would be to allow self-signed certs in the request options for the ibrowse requests sent in src/setup/src/setup.erl. |
When adding a node to a CouchDB 2.1 cluster using the Cluster Setup API, using the default SSL port 6984 with a self-signed cert, returns the following response:
{"error":"bad_request","reason":"retry_later"}
Expected Behavior
Return value
{"ok":true}
Current Behavior
Is clustering over a SSL port is not supported? If not, then it presents a potential security issue.
Steps to Reproduce (for bugs)
(NOTE: This error also appears when using Fuxton)
Your Environment
The text was updated successfully, but these errors were encountered: