configure CouchDB with Lets Encrypt SSL certificate

What i would like to do: Now I'm using a self signed SSL certificate which works wonderful. But I would like to replace them with an official one of lets encrypt.

What i have (self signed certificate): Here is a output of the important settings (local.ini) for ssl I have now:

[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}

[ssl]
cert_file = /etc/couchdb/certs/server.crt   // these are my self made certificates
key_file = /etc/couchdb/certs/server.key    // these are my self made certificates

; set to true to validate peer certificates
verify_ssl_certificates = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1

What i tried (Lets Encrypt): After following the docs of lets encrypt i have a folder /etc/letsencrypt/live/[domain] with following files:

-cert.pem       // seems to be the public certificate
-chain.pem      // seems to be the public certificate from the keychain
-fullchain.pem  // seems to be the cert.pem + chain.pem
-privkey.pem    // seems to be the private certificate

So I tried to replace the new certificates with the old ones in my local.ini

[ssl]
cert_file = /etc/letsencrypt/live/[domain]/cert.pem      // new certificate
key_file = /etc/letsencrypt/live/[domain]/privkey.pem    // new certificate

The Problem: After a restart of CouchDB the Non SSL way Port 5984 still works. But with SSL on Port 6984 I get a connection reset error in chrome. PS: I also use the same letsencrypt certificates for my nginx, where they are working perfect.

Any ideas?

Openssl debug information:

1) With SSL and Self Signed Certificate, I get a certificate printent and a lot of information i entered once.

2) Without SSL and letsencrypt openssl s_client -connect localhost:5984

CONNECTED(00000003)
140581663061872:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

3) With SSL and letsencrypt openssl s_client -connect localhost:6984

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 207 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

with couchDB 1.6.x

copy the files /etc/letsencrypt/archive/xxxx in /var/lib/couchdb/cert1/

Check the access rights for CouchDB

Put the following values ​​in /usr/local/etc/couchdb/local.ini. Note that the following folders match the above folder that was copied to.

cert_file = /var/lib/couchdb/cert1/cert1.pem
key_file = /var/lib/couchdb/cert1/privkey1.pem
cacert_file = /var/lib/couchdb/cert1/fullchain1.pem```

Howto make https ssl work on CouchDB 2.3.0 on Ubuntu 18.04 :

  1. The settings file located at : /opt/couchdb/etc/local.ini
  2. The [deamons] container from original question is not needed.
  3. Only really copying the files to a couchdb folder (see frederics answers) and changing the fileowner (with chown couchdb:couchdb) to the couchdb user is the only thing that works. (Symlinking, or deeplinking directly to the letsencrypt folder will all fail).
  4. Don't forget to restart couchdb after your edits in local.ini

    systemctl stop couchdb; systemctl start couchdb

  5. Look into the couchdb for startup errors with tail -f /opt/couchdb/var/log/couchdb.log

  6. Check that port 6984 isn't firewalled, do ufw allow 6984

  7. Now goto https://yourdomain.com:6984 and couchdb will work via https.

  8. Don't forget to repeat step 3 when letsencrypt renews the certificates.


I'm using the following solution. In certbot I have a post renewal-hook script with the following lines:

rm -rf /opt/couchdb/letsencrypt
mkdir /opt/couchdb/letsencrypt
cp -rfL /etc/letsencrypt/live/ /opt/couchdb/letsencrypt
chown -R couchdb:couchdb /opt/couchdb/letsencrypt/

This copies the certificates to the couchdb folder and changes ownership to couchdb user/group. For whatever reason the cert files have to be owned by the couchdb user and normal reading rights on /etc/letsencrypt seem to be not enough.

Hint: I first didn't have the first two lines rm and mkdir which led to problems since cp -rfL behaves differently depending on the existence of the target folder. In one case the resulting directory structure was /opt/letsencrypt/live/<subfolders> and in the other case /opt/letsencrypt/<subfolders>. This ruined my automatic certificate renewal process at the first time.

In local.ini I have:

cert_file = /opt/couchdb/letsencrypt/live/<my-hostname>/cert.pem
key_file = /opt/couchdb/letsencrypt/live/<my-hostname>/privkey.pem
cacert_file = /opt/couchdb/letsencrypt/live/<my-hostname>/fullchain.em