Couch Sync Gateway on MacOS Sierra

giles · September 28, 2016, 11:40am

Hi,

Are there any known issues with SG v1.3.1 on MacOS Sierra? The supported OS on this page only lists Yosemite and El Capitan.

We are having an issue with SSL certificates using SG v1.3.1 and Chrome since upgrading to Sierra. When browsing to sync gateway on port 4984 (http://:4984) we get an invalid certificate, and we see the following in the sync-gateway console:

2016-09-28 11:38:05.409012 I | http: TLS handshake error from 92.27.95.40:50169: EOF

This worked fine with the same certificate using El Capitan. It also works on Sierra using Safari.

Due to the failed certificate, when syncing to SG using PouchDB it gives the error:
net::ERR_INSECURE_RESPONSE

Has anyone seen similar issues and is there a fix?

Thanks,
Giles

jens · September 28, 2016, 4:02pm

1.3 was incompatible with Sierra due to being compiled by a version of Go that was incompatible. But 1.3.1 used an updated compiler (Go 1.6.3) which should be compatible.

What exactly is the cert error from Chrome?
You can also use the nscurl command from a Mac, which will log info about SSL problems.

jens · September 28, 2016, 4:02pm

It’s probably best to file an issue on Github, so this won’t fall between the cracks. Thanks!

giles · September 28, 2016, 4:21pm

Hi Jens,

Just want to clarify as I don’t think I was clear earlier. Couchbase Server and Sync Gateway are both running on Linux. It’s only the client end (Chrome) that is running on MacOS Sierra. The problem is purely an SSL issue from Chrome on Sierra talking to Sync Gateway.

The nscurl command works fine and returns the valid info.
nscurl https://yo.tc:4984
{“couchdb”:“Welcome”,“vendor”:{“name”:“Couchbase Sync Gateway”,“version”:1.3},“version”:“Couchbase Sync Gateway/1.3.1(16;f18e833)”}

However, on Chrome the certificate is not trusted and the icon is red. It then fails to open the page due to invalid certificate. The error on the Chrome page is:
“Your connection is not private Attackers might be trying to steal your information from yo.tc (for example, passwords, messages or credit cards). NET::ERR_CERT_AUTHORITY_INVALID”

You should be able to recreate (if you have Sierra) by running Chrome on Sierra and pointing at our sync gateway server
https://yo.tc:4984

Chrome is happy with other ports. If we set up a node server on port 5000, Chrome can open this with no problems.

Do you have any ideas?

Thanks,
Giles

jens · September 28, 2016, 4:40pm

Hm; I had no trouble loading that URL with the latest Chrome on macOS Sierra. curl works. nscurl --ats-diagnostics works and reports no issues.

Maybe something is messed up with Chrome on your machine? Have you tried this on any other Macs running Sierra?

giles · September 29, 2016, 8:52am

Hi Jens,

Thanks for trying it out. We’ve tried it on two different machines running Sierra, a Macbook Pro and a Mac Mini, and saw the same behaviour on both. That’s why we thought it was a Chrome+SG issue rather than a problem with the machine. It’s obviously not as straightforward as that if it’s working for you.

What version of Chrome are you running? We’re running v53.0.2785.116 (64-bit) on both machines.

Thanks,
Giles

giles · September 29, 2016, 8:54am

Also, do you have a sync gateway that we can point at to try it?

Thanks,
Giles

jens · September 29, 2016, 4:01pm

Ah, I’ve got a newer version — looks like I’m still on the dev channel (I used to work on Chrome years ago and must never have switched back). Mine is “55.0.2873.4 dev (64-bit)”.

From that, I’d guess that this is a Chrome issue that hasn’t made its way into a release yet?

giles · September 29, 2016, 4:40pm

Hi Jens,

Yep, that was it! We upgraded to the dev version and it all works fine.

Thanks very much. We owe you a if you’re ever in London.

Thanks,
Giles