ToDo 2.0 and BLIPS

I can’t get to work HTTPS with certificate on Android

db server - 5.0
sync server 1.5

when I’m using BLIPS://myIP:4894/db
I got on sync server - 2017-12-06 00:13:17.584849 I | http: TLS handshake error from x.x.x.163:54269
: remote error: tls: unknown certificate

with openSSL I created .cer and .pem certificate files, inserted in json_config, but don’t understand where in java I should use the certificate.

Assuming you are not using client side certificate authentication (i.e. you are only validating server side cert), you shouldn’t have to do anything within your Android app. What is the authenticator mechanism that you have setup with the replicator?

Presumably, you followed the instructions here to configure the Sync Gateway with the cert.

Couple of points to double check during certificate generation:-

  • Install the certificates in a location accesible to the Sync Gateway
  • If you are generating a self-signed certificate, probably the most important field is the CommonName. It should be your Sync Gateway’s FQDN. If you Sync Gateway does not have one, then you must specify use localhost for localhost or the static IPAddress of your Sync Gateway. This issue will typically result in an “Unknown Certificate Authority” error though…
  • The certificate and corresponding private key must be in .pem format

First I opened http://localhost:8091 and set admin/password

Then did open-ssl steps and got 2 files: cert.pem, privkey.pem
I put this 2 files to couchbase dir SSL.

Here is my config.json for my sync server (1.5.1 now):

“log”: [" * “],
“databases”: {
“db”: {
“server”: “”,
“bucket”: “todo”,
“username”: “admin”,
“password”: “password”,
“users”: {
“GUEST”: { “disabled”: false,
“admin_channels”: [”*"] }},

"unsupported": {"replicator_2": true}


Auth using your code from this

I changed to this:
private final static String DATABASE_NAME = “todo”;
private final static String SYNCGATEWAY_URL = “blips://myExternalIP:4984/db/”;

I tried also HTTPS.

sync code:

ReplicatorConfiguration config = new ReplicatorConfiguration(database, uri);

// authentication
if (username != null && password != null)
config.setAuthenticator(new BasicAuthenticator(username, password));

replicator = new Replicator(config);

What Common Name or FQDN should I use when generating self-signed certificate ?

my internal IP
my external IP (for, example) and for now I dont have dns name, like

As mentioned in my original response, for self signed cert

Basically use the IP Address that your client connects to.

Where exactly is the “ssl” folder relative to the folder that contains the SGW binary and what are the access permissions. For debugging purposes, to eliminate the possibility that the SGW can’t access it, can you put the cert and private key in the same folder that contains the Sync Gateway binary (and update the config file accordingly)

Also a terminology clarification - note that in CBM 2.0 you are using BLIP(S) which is websockets based protocol. It is not HTTP(s).

i’m running win7 x64 as admin, so it’s not access permission.
so, in common name I tried and in sync base console got error.
SYNCGATEWAY_URL = “blips://”

2017-12-07 00:08:37.647628 I | http: TLS handshake error from
: remote error: tls: unknown certificate

Here is full log,
Sync Server 1.5.1

C:\Program Files (x86)\Couchbase>sync_gateway.exe config.json
2017-12-07T16:06:25.638+03:00 Enabling logging: [*]
2017-12-07T16:06:25.662+03:00 ==== Couchbase Sync Gateway/1.5.1(4;cb9522c) ====
2017-12-07T16:06:25.662+03:00 Opening db /db as bucket “todo”, pool “default”, s
erver <>
2017-12-07T16:06:25.663+03:00 GoCBCustomSGTranscoder Opening Couchbase database
todo on <> as user "admin"
2017-12-07T16:06:25.958+03:00 Cache: Initializing changes cache with options {Ch
annelCacheOptions:{ChannelCacheMinLength:0 ChannelCacheMaxLength:0 ChannelCacheA
ge:0s} CachePendingSeqMaxWait:5s CachePendingSeqMaxNum:10000 CacheSkippedSeqMaxW
2017-12-07T16:06:25.958+03:00 Feed: Starting mutation feed on bucket todo due to
either channel cache mode or doc tracking (auto-import/bucketshadow)
2017-12-07T16:06:25.958+03:00 Feed: Using DCP feed for bucket: “todo” (based on
feed_type specified in config file)
2017-12-07T16:06:25.993+03:00 Feed+: Seeding seqnos: map[465:2 213:1 283:3 531:3
713:2 928:2 895:2 573:5 613:2 962:2 93:5 992:1 720:2 476:1 111:1 637:1 574:1 37
0:3 384:2 608:1 681:1 743:1 140:2 790:2 704:6 520:24 427:1]
2017-12-07T16:06:25.996+03:00 Feed+: Connecting to new bucket datasource. URLs:
[], pool:default, bucket:todo
2017-12-07T16:06:25.996+03:00 Using default sync function ‘channel(doc.channels)
’ for database "db"
2017-12-07T16:06:25.997+03:00 Reset guest user to config
2017-12-07T16:06:25.997+03:00 Starting admin server on
2017-12-07T16:06:26.004+03:00 Starting server on :4984 …
2017-12-07T16:06:26.006+03:00 HTTP: Protocols enabled: [http/1.1] on :4984
2017-12-07T16:06:26.005+03:00 HTTP: Protocols enabled: [http/1.1] on
_time=2017-12-07T16:06:26.019+03:00 _level=INFO _msg=Using plain authentication
for user admin
2017-12-07 16:06:40.727798 I | http: TLS handshake error from
: remote error: tls: unknown certificate

I am referring to the access of the certs by the Sync Gateway. Did you try what I suggested about putting the certs and PK in same folder as sync gateway and updating the config file as such

Are you seeing “unknown certificate authority” or just “unknown certificate” ? I don’t know what the latter is (@traun - ideas?)

third file, .cer format just for check.

If I change URL string to BLIP, I got message about it’s wrong TLS - something.
private final static String SYNCGATEWAY_URL = “blips://”;
private final static String SYNCGATEWAY_URL = “blip://”;

2017-12-07 17:45:35.571782 I | http: TLS handshake error from
: tls: first record does not look like a TLS handshake

Here is my key generation:

I tried to do something with this, but don’t understand what it mean.

ReplicatorConfiguration config = new ReplicatorConfiguration(database, uri);
config.setPinnedServerCertificate(byte[] cert);

You shouldn’t have to do this unless you are also bundling the server certificate in with your Android app. Are you doing that? If not, please remove this line from your app. It will cause problems if you do that because there is no cert that the client can check against.

This “pinning” of certificate is to guarantee that your app will only authorize a server whose cert matches the cert that it is bundled with
(FYI : Here is a blog post you are interested in learning about cert pinning . Its for iOS but concepts apply to any platform)

I tried this, not working.
It is not a problem to copy .cer file to android device.


    AssetManager assetManager = getAssets();
    InputStream is = null;
    byte[] bytes = new byte[0];
    try {
        is ="cert.cer");
        bytes = IOUtils.toByteArray(is);
    } catch (IOException e) {

I checked by Process Monitor that certificate file being read.

Hmm…you seem to have the config right . let me look into it to see in more detail on my end.


“log”: [""],
“databases”: {
“db”: {
“server”: “localhost:”,
“bucket”: “todo”,
“username”: “admin”,
“password”: “password”,
“users”: {
“GUEST”: { “disabled”: false,
“admin_channels”: ["
"] }},
“unsupported”: {“replicator_2”: true}

Like I said, your config seems fine per docs . It may be something else …we are investigating it. Will keep you posted.

I just tested out self signed certs with Android App with DB 20 and it works just fine. I suspect your cert generation was not OK.

curl -k -X GET https://localhost:4984   -H 'cache-control: no-cache' --verbose
  • Open in your browser and let us know what you see.
  • My cert and pem are located in ssl folder within the bin folder which contains sync-gateway
ls  ssl/
cert.pem  privkey.pem
  • The Android side code looks fine. Assuming the cert was generated correctly
openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
  • Note : While not related to the issue, from your JSON config, it appears that you haven’t setup your server for shared bucket access. You may want to do that as discussed here
  "log": ["*"],
  "SSLCert": "ssl/cert.pem",
  "SSLKey": "ssl/privkey.pem",
  "databases": {
    "travel-sample": {
      "import_docs": "continuous",
      "unsupported": {
      "server": "http://localhost:8091",

curl -k -X GET https://localhost:4984 -H ‘cache-control: no-cache’ --verbose

{“couchdb”:“Welcome”,“vendor”:{“name”:“Couchbase Sync Gateway”,“version”:1.5},“version”:“Couchbase Sync Gateway/1.5.1(4;cb9522c)”}

I’m using this openSSL for windows -
Win64 OpenSSL v1.0.2m

From curl output, it looks like your SGW is configured for SSL correctly. So we know that SGW is handling SSL requests correctly.

Are you trying to connect from Android device or emulator? If you are using a localhost, please generate the certificate for FQDN and connect via blips:// .

Wondering if the version of TLS/SSL that is being used from the client is unsupported …confirm that it is at least v1.2.

Try to load the SGW url from the Android browser and see if it connects OK.