I can’t get to work HTTPS with certificate on Android
db server - 5.0
sync server 1.5
java/android
when I’m using BLIPS://myIP:4894/db
I got on sync server - 2017-12-06 00:13:17.584849 I | http: TLS handshake error from x.x.x.163:54269
: remote error: tls: unknown certificate
with openSSL I created .cer and .pem certificate files, inserted in json_config, but don’t understand where in java I should use the certificate.
Assuming you are not using client side certificate authentication (i.e. you are only validating server side cert), you shouldn’t have to do anything within your Android app. What is the authenticator mechanism that you have setup with the replicator?
Presumably, you followed the instructions here to configure the Sync Gateway with the cert.
Couple of points to double check during certificate generation:-
First I opened http://localhost:8091 and set admin/password
Then did open-ssl steps and got 2 files: cert.pem, privkey.pem
I put this 2 files to couchbase dir SSL.
Here is my config.json for my sync server (1.5.1 now):
{
“log”: [" * “],
“SSLCert”:“ssl/cert.pem”,
“SSLKey”:“ssl/privkey.pem”,
“databases”: {
“db”: {
“server”: “10.10.10.2:8091”,
“bucket”: “todo”,
“username”: “admin”,
“password”: “password”,
“users”: {
“GUEST”: { “disabled”: false,
“admin_channels”: [”*"] }},
"unsupported": {"replicator_2": true}
}
}
}
Auth using your code from this
https://codeload.github.com/couchbaselabs/mobile-training-todo/zip/feature/2.0
I changed to this:
private final static String DATABASE_NAME = “todo”;
private final static String SYNCGATEWAY_URL = “blips://myExternalIP:4984/db/”;
I tried also HTTPS.
sync code:
URI uri = new URI(SYNCGATEWAY_URL);
ReplicatorConfiguration config = new ReplicatorConfiguration(database, uri);
config.setReplicatorType(ReplicatorConfiguration.ReplicatorType.PUSH_AND_PULL);
config.setContinuous(true);
// authentication
if (username != null && password != null)
config.setAuthenticator(new BasicAuthenticator(username, password));
replicator = new Replicator(config);
replicator.addChangeListener(this);
replicator.start();
What Common Name or FQDN should I use when generating self-signed certificate ?
my internal IP 10.10.10.2
my external IP (for, example) 200.200.200.200 and for now I dont have dns name, like www.myDomain.com
As mentioned in my original response, for self signed cert
Basically use the IP Address that your client connects to.
Where exactly is the “ssl” folder relative to the folder that contains the SGW binary and what are the access permissions. For debugging purposes, to eliminate the possibility that the SGW can’t access it, can you put the cert and private key in the same folder that contains the Sync Gateway binary (and update the config file accordingly)
Also a terminology clarification - note that in CBM 2.0 you are using BLIP(S) which is websockets based protocol. It is not HTTP(s).
i’m running win7 x64 as admin, so it’s not access permission.
so, in common name I tried 10.10.10.2 and in sync base console got error.
SYNCGATEWAY_URL = “blips://10.10.10.2:4984/db/”
2017-12-07 00:08:37.647628 I | http: TLS handshake error from 10.10.10.141:60074
: remote error: tls: unknown certificate
Here is full log,
COUCHBASE_LITE_VERSION = "2.0.0-DB018"
Sync Server 1.5.1
C:\Program Files (x86)\Couchbase>sync_gateway.exe config.json
2017-12-07T16:06:25.638+03:00 Enabling logging: [*]
2017-12-07T16:06:25.662+03:00 ==== Couchbase Sync Gateway/1.5.1(4;cb9522c) ====
2017-12-07T16:06:25.662+03:00 Opening db /db as bucket “todo”, pool “default”, s
erver <10.10.10.2:>
2017-12-07T16:06:25.663+03:00 GoCBCustomSGTranscoder Opening Couchbase database
todo on <10.10.10.2:> as user "admin"
2017-12-07T16:06:25.958+03:00 Cache: Initializing changes cache with options {Ch
annelCacheOptions:{ChannelCacheMinLength:0 ChannelCacheMaxLength:0 ChannelCacheA
ge:0s} CachePendingSeqMaxWait:5s CachePendingSeqMaxNum:10000 CacheSkippedSeqMaxW
ait:1h0m0s}
2017-12-07T16:06:25.958+03:00 Feed: Starting mutation feed on bucket todo due to
either channel cache mode or doc tracking (auto-import/bucketshadow)
2017-12-07T16:06:25.958+03:00 Feed: Using DCP feed for bucket: “todo” (based on
feed_type specified in config file)
2017-12-07T16:06:25.993+03:00 Feed+: Seeding seqnos: map[465:2 213:1 283:3 531:3
713:2 928:2 895:2 573:5 613:2 962:2 93:5 992:1 720:2 476:1 111:1 637:1 574:1 37
0:3 384:2 608:1 681:1 743:1 140:2 790:2 704:6 520:24 427:1]
2017-12-07T16:06:25.996+03:00 Feed+: Connecting to new bucket datasource. URLs:
[http://10.10.10.2:8091], pool:default, bucket:todo
2017-12-07T16:06:25.996+03:00 Using default sync function ‘channel(doc.channels)
’ for database "db"
2017-12-07T16:06:25.997+03:00 Reset guest user to config
2017-12-07T16:06:25.997+03:00 Starting admin server on 127.0.0.1:4985
2017-12-07T16:06:26.004+03:00 Starting server on :4984 …
2017-12-07T16:06:26.006+03:00 HTTP: Protocols enabled: [http/1.1] on :4984
2017-12-07T16:06:26.005+03:00 HTTP: Protocols enabled: [http/1.1] on 127.0.0.1:4
985
_time=2017-12-07T16:06:26.019+03:00 _level=INFO _msg=Using plain authentication
for user admin
2017-12-07 16:06:40.727798 I | http: TLS handshake error from 10.10.10.140:57225
: remote error: tls: unknown certificate
I am referring to the access of the certs by the Sync Gateway. Did you try what I suggested about putting the certs and PK in same folder as sync gateway and updating the config file as such
Are you seeing “unknown certificate authority” or just “unknown certificate” ? I don’t know what the latter is (@traun - ideas?)
third file, .cer format just for check.
If I change URL string to BLIP, I got message about it’s wrong TLS - something.
private final static String SYNCGATEWAY_URL = “blips://10.10.10.2:4984/db/”;
to
private final static String SYNCGATEWAY_URL = “blip://10.10.10.2:4984/db/”;
2017-12-07 17:45:35.571782 I | http: TLS handshake error from 10.10.10.140:59233
: tls: first record does not look like a TLS handshake
Here is my key generation:
I tried to do something with this, but don’t understand what it mean.
ReplicatorConfiguration config = new ReplicatorConfiguration(database, uri);
config.setPinnedServerCertificate(byte[] cert);
You shouldn’t have to do this unless you are also bundling the server certificate in with your Android app. Are you doing that? If not, please remove this line from your app. It will cause problems if you do that because there is no cert that the client can check against.
This “pinning” of certificate is to guarantee that your app will only authorize a server whose cert matches the cert that it is bundled with
(FYI : Here is a blog post you are interested in learning about cert pinning . Its for iOS but concepts apply to any platform)
I tried this, not working.
It is not a problem to copy .cer file to android device.
AssetManager assetManager = getAssets();
InputStream is = null;
byte[] bytes = new byte[0];
try {
is = assetManager.open("cert.cer");
bytes = IOUtils.toByteArray(is);
} catch (IOException e) {
e.printStackTrace();
}
config.setPinnedServerCertificate(bytes);Hmm…you seem to have the config right . let me look into it to see in more detail on my end.
config.json
{
“log”: [""],
“SSLCert”:“ssl/cert.pem”,
“SSLKey”:“ssl/privkey.pem”,
“databases”: {
“db”: {
“server”: “localhost:”,
“bucket”: “todo”,
“username”: “admin”,
“password”: “password”,
“users”: {
“GUEST”: { “disabled”: false,
“admin_channels”: [""] }},
“unsupported”: {“replicator_2”: true}
}
}
}
Like I said, your config seems fine per docs . It may be something else …we are investigating it. Will keep you posted.
I just tested out self signed certs with Android App with DB 20 and it works just fine. I suspect your cert generation was not OK.
Are you using a simulator for testing ? If so, make sure that the FQDN of your self signed cert is 10.0.2.2 and not localhost .
Then please share output of
curl -k -X GET https://localhost:4984 -H 'cache-control: no-cache' --verbose
https://localhost:4984
ssl folder within the bin folder which contains sync-gatewayls ssl/
cert.pem privkey.pem
openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
{
"interface":":4984",
"log": ["*"],
"SSLCert": "ssl/cert.pem",
"SSLKey": "ssl/privkey.pem",
"databases": {
"travel-sample": {
"import_docs": "continuous",
"unsupported": {
"replicator_2":true
},
"bucket":"travel-sample",
"server": "http://localhost:8091",
"enable_shared_bucket_access":true
}
}
curl -k -X GET https://localhost:4984 -H ‘cache-control: no-cache’ --verbose
https://localhost:4984
{“couchdb”:“Welcome”,“vendor”:{“name”:“Couchbase Sync Gateway”,“version”:1.5},“version”:“Couchbase Sync Gateway/1.5.1(4;cb9522c)”}
I’m using this openSSL for windows - https://wiki.openssl.org/index.php/Binaries
Win64 OpenSSL v1.0.2m
From curl output, it looks like your SGW is configured for SSL correctly. So we know that SGW is handling SSL requests correctly.
Are you trying to connect from Android device or emulator? If you are using a localhost, please generate the certificate for 10.0.2.2 FQDN and connect via blips://10.0.2.2/ .
Wondering if the version of TLS/SSL that is being used from the client is unsupported …confirm that it is at least v1.2.
Try to load the SGW url from the Android browser and see if it connects OK.
