Configuring CouchDB 1.6.1 with LetsEncrypt free SSL certificate on Debian 8 (jessie)

February 17, 2017

  1. Enable jessie-backports, if not already enabled on your system. As described here:

    echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null
    aptitude update
    
  2. Install certbot as described here:

    sudo aptitude install certbot -t jessie-backports
    
  3. Configure a web server, so certbot can communicate with the outside world. I use lighttpd.

    sudo aptitude install lighttpd
    
  4. Configure the web server to allow the couchdb user write access to the root directory.

    sudo chown root:couchdb /var/www/html
    sudo chmod g+rxw /var/www/html
    
  5. Set up a directory to store your certificates:

    sudo mkdir /etc/couchdb/letsencrypt
    sudo chown couchdb.couchdb /etc/couchdb/letsencrypt
    sudo chmod g+rwx /etc/couchdb/letsencrypt
    
  6. Generate your initial SSL certificate:

    sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d <hostname>
    

    Follow the prompts to configure certbot.

  7. Configure CouchDB as described here. Edit /etc/couchdb/local.ini to match:

    [daemons]
    httpsd = {couch_httpd, start_link, [https]}
    
    [ssl]
    cert_file = /etc/letsencrypt/live/<hostname>/cert.pem
    key_file = /etc/letsencrypt/live/<hostname>/privkey.pem
    cacert_file = /etc/letsencrypt/live/<hostname>/chain.pem
    

    And probably disable HTTP, too, by editing /etc/couchdb/default.ini and commenting out the following line in the [daemons] section:

    ;httpd={couch_httpd, start_link, []}
    
  8. Test!

Visit https://<hostname>:6984/_utils, and verify that http://<hostname>:5984/_utils does not work.


comments powered by Disqus