I used CouchDB 1.1.1 with self-signed certs fine for some time.
Then, I purchased a SSL cert (in PFX form) for my domain.
I converted it to .CER and .KEY via OpenSSL, as described here: How can I convert a PFX certificate file for use with Apache on a linux server?
But, CouchDB gives me this error: http://pastebin.com/PieNwYv7
Certificate and key work fine in test recommended on http://wiki.apache.org/couchdb/How_to_enable_SSL .
I tried different conversion options (der, pem etc) in OpenSSL, with no luck :(
What could possibly be wrong with my certificate or privkey? (I can't obviously publish the private key here, but maybe you can point me to some tools to diagnose the problem)
UPD: Tried
openssl rsa -in server.key -out server_rsa.key
This gives key in format -----BEGIN RSA PRIVATE KEY (instead of -----BEGIN PRIVATE KEY),
works with OpenSSL fine too (tested with openssl s_server -key server_rsa.key -cert server.cer -www
), CouchDB gives different error:
[Sat, 28 Jan 2012 21:30:58 GMT] [error] [<0.69.0>] {error_report,<0.64.0>,
{<0.69.0>,supervisor_report,
[{supervisor,{local,ssl_connection_sup}},
{errorContext,child_terminated},
{reason,
{function_clause,
[{ssl_handshake,dec_client_key,
[<<149,172,109,56,46,85,242,18,97,32,127,
UPD2: Obtained another certificate, using key generator from Firefox (instead of IIS), same here :(
Solution: for those who might run into the same problem
It seems that some kind of data is cached (to speed up SSL handshake?) by Google Chrome and Opera, and this causes SSL handshake to fail if the server cert suddenly changes.