TLS/SSL Cert. error on web socket connection to sync.gateway

jda · March 17, 2022, 4:12pm

I have an app that has not been updated in 6 months - so obviously all of the develop. tools etc. move ahead - and that may be causing this issue… But I cannot find any pointers to solve it.

I have changed my Mac to an M1 version where I run Visual Studio 2019 for Mac. So I had to create new Android emulators (running ARM - blistering fast!). But when my app tries to connect to the sync.gateway I get errors like this:

[CouchbaseLite] [Thread Pool Worker]| [Replicator] (WebSocketWrapper) [Thread Pool Worker (31)] Error validating TLS chain: RemoteCertificateChainErrors
Thread started:  #34
Thread finished:  #34
Thread started:  #35
Thread started:  #36
Thread finished:  #35
Thread started:  #37
[CouchbaseLite] [37]| [Network] {N8litecore4repl12C4SocketImplE#3} WebSocket failed to connect! (reason=Network error 8)
[CouchbaseLite] [38]| [Replicator] {Repl#4} Got LiteCore error: Network error 8 "Certificate verification failed (RemoteCertificateChainErrors)"
[DbDataStore] PushAndPull Replicator: 0/0, error CouchbaseLiteException (NetworkDomain / 8): Certificate verification failed (RemoteCertificateChainErrors)., activity = Connecting
[DbDataStore] Error :: Couchbase.Lite.CouchbaseNetworkException: CouchbaseLiteException (NetworkDomain / 8): Certificate verification failed (RemoteCertificateChainErrors).
[DbDataStore] PushAndPull Replicator: 0/0, error CouchbaseLiteException (NetworkDomain / 8): Certificate verification failed (RemoteCertificateChainErrors)., activity = Stopped
[DbDataStore] Error :: Couchbase.Lite.CouchbaseNetworkException: CouchbaseLiteException (NetworkDomain / 8): Certificate verification failed (RemoteCertificateChainErrors).

This is working on iOS so the certificate isn’t really invalid. It is a LetsEncrypt cert. that expires on 22-04-2022.

Sync. gateway is version 2.8.2 CE
Couchbase Lite is version: 2.8.6

I would rather not upgrade to 3 until there is due time to fix any breaking functionality

Any ideas what could be causing this issue?

blake.meike · March 17, 2022, 4:41pm

Can you confirm that you are using the iOS platform, not Java on Windows?

jda · March 18, 2022, 8:03am

Not entirely sure what you are asking about. I see the problem on Android (10 & 12). And it is working on an iOS simulator (iOS 15.4).

Visual Studio is version 2019 on MacOS running Monterey (version 12.2.1)

The sync.gateway is running on CentOS 7

So no Windows involved anywhere

jda · March 18, 2022, 1:56pm

Hmmmm… this may be a more generic issue with Android emulators as I seem not to be able to use a control to show an image from an HTTPS source either…

blake.meike · March 18, 2022, 7:52pm

duh… my bad. I meant Java on MacOS, sorry.

The reason I as is that that does not look like any Android log that I’ve ever seen. I’m just trying to figure out what it is.

jda · June 3, 2022, 12:20pm

@blake.meike, I found out that I had to force the use of the native HTTP client that I had configured for the projects to be used when trying to show images. That solved the TLS issues. Is there a similar thing I can do to tell Couchbase Lite to use the “right” HTTP client for the WSS connection?

I still get these errors:

[CouchbaseLite] [Thread Pool Worker]| [Replicator] (WebSocketWrapper) [Thread Pool Worker (15)] Error validating TLS chain: RemoteCertificateChainErrors
[CouchbaseLite] [32]| [Network] {N8litecore4repl12C4SocketImplE#3} WebSocket failed to connect! (reason=Network error 8)
[CouchbaseLite] [33]| [Replicator] {Repl#4} Got LiteCore error: Network error 8 "Certificate verification failed (RemoteCertificateChainErrors)"

The TLS certificate is valid (it’s a LetsEncrypt cert.)

This is what I had to do for the image loader:

// Use same http client as set up in project (native handler & TLS1.2+)
FFImageLoading.ImageService.Instance.Initialize(new FFImageLoading.Config.Configuration {
    HttpClient = new System.Net.Http.HttpClient()
});

But I haven’t found a way to do something similar for the Replicator in Couchbase Lite…

biozal · June 3, 2022, 4:37pm

Hi @jda

Is this a Xamarin project by chance?

Thanks
Aaron

jda · June 3, 2022, 10:38pm

Yep, it is!

… and this message has to be at least 20 characters

biozal · June 3, 2022, 11:35pm

So the error you are getting is in the certificate chain:

RemoteCertificateChainErrors

I know this sounds strange, but I would check your certificate using SSL Checker and make sure the full chain (path including intermediates) is set up properly :

Check out this post on the LetsEncrypt forums as I think you are experiencing the same problem:

In the past when I had this problem I had load balancing in front of a Sync Gateway cluster and I didn’t install both the root and intermediate certificate on the Ngyix server and that caused issues. It turns out iOS which you think would be more secure doesn’t check the full certificate path - it assumes if the Root is trusted then anything under it is also trusted - at least in my experience.

Thanks
Aaron

jda · June 7, 2022, 7:13am

Hi @biozal

Yes, I’m sure it is the same issue. I also saw it with the images. The workaround of manually editing the certificate proved it - but obviously wasn’t the solution. However, changing the code to use the native HTTP client works for the images - hence my question about this for the websocket connection. That would be a cleaner solution than having to specify a specific chain cert in the LetsEncrypt certbot. That would just be a “bomb” hitting in 2024…

And as you mention I have an Nginx proxy in front of the website as well as the sync gateway. All looks good in SSLchecker

/John