2016-09-23T13:06:50.727-05:00 ==== Couchbase Sync Gateway/1.3.0(274;8c3ee28) ====
2016-09-23T13:06:50.727-05:00 requestedSoftFDLimit < currentSoftFdLimit (5000 < 65535) no action needed
2016-09-23T13:06:50.727-05:00 Opening db /db as bucket "test_app", pool "default", server < https://myserver:8091>
2016-09-23T13:06:50.727-05:00 Opening Couchbase database test_app on <https://myserver:8091>
2016-09-23T13:06:50.730-05:00 FATAL: Error opening database: 502 Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port. Detailed error: Get https://myserver:8091/pools: tls: oversized record received with length 20527 -- rest.RunServer() at config.go:681
Changing the sync gateway config file allowed me to successfully restart sync gateway:
Your Couchbase Server isn’t serving HTTPS at port 8091, just regular unencrypted HTTP. So the URL https://myserver:8091 isn’t valid. SG tried to open an SSL connection and the handshake failed because it wasn’t receiving SSL data.
Did you change your db server configuration lately? Otherwise I don’t know how this would ever have worked.
Nope, haven’t changed it lately. Everything worked just fine when we were using SG 1.2 and the old config file. However, if it makes a difference, we’re using Couchbase Server 4.1.0-5005 in addition to Sync Gateway 1.3.
Sorry, just to clarify: By “old” I meant that that was the working configuration I was using for SG 1.2. Upgrading to SG 1.3 resulted in the error above. Between upgrades, I hadn’t touched any other configuration files.
Per your suggestion, I tried changing this line from
2016-09-23T19:17:28.094-05:00 ==== Couchbase Sync Gateway/1.3.0(274;8c3ee28) ====
2016-09-23T19:17:28.094-05:00 requestedSoftFDLimit < currentSoftFdLimit (5000 < 65535) no action needed
2016-09-23T19:17:28.094-05:00 Opening db /db as bucket "test_app", pool "default", server <https://vtfsmpmcouch01.fsm.northwestern.edu:443>
2016-09-23T19:17:28.095-05:00 Opening Couchbase database test_app on <https://vtfsmpmcouch01.fsm.northwestern.edu:443>
2016-09-23T19:17:28.120-05:00 FATAL: Error opening database: 502 Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port. Detailed error: HTTP error 502 Bad Gateway getting "https://vtfsmpmcouch01.fsm.northwestern.edu:443/pools":
<head><title>502 Bad Gateway</title></head>
<center><h1>502 Bad Gateway</h1></center>
-- rest.RunServer() at config.go:681
2016-09-23T19:17:28.500-05:00 Enabling logging: [*]
Well, anyway: The correct URL to use is whatever the URL is for the REST interface of your Couchbase Server.
It definitely looks like the URL you were using with 1.2 was wrong, since the db server isn’t serving SSL on port 8091, but for some reason it worked with SG 1.2. I don’t know why …
(My only hypothesis is that maybe Go’s net/http package used to automatically downgrade to cleartext when it couldn’t make an SSL connection, but that they took that behavior out in the version of Go that SG 1.3 is built with? I think this is unlikely, though, because silently downgrading to cleartext would be a terrible idea from a security standpoint.)
Anyway, it sounds like you’ve got things working now, so maybe it’s best to just get on with life
Posting this here from Github in case it helps anyone else:
The issue was with App Transport Security Settings. With Couchbase Lite 1.2, the value of NSExceptionMinimumTLSVersion was TLSv1.2. After upgrading to Couchbase Lite 1.3.1 syncing just stopped working. Changing the value of NSExceptionMinimumTLSVersion to TLSv1.0 fixed everything.
I stumbled upon this SO Post, which suggested the use of
nscurl --ats-diagnostics https://example.com
The output basically clued me into the TLS minimum version:
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for vtfsmpmcouch01.fsm.northwestern.edu
TLSv1.2 with PFS disabled and insecure HTTP allowed
2016-09-26 11:36:05.769 nscurl[72079:4238506] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
TLSv1.1 with PFS disabled and insecure HTTP allowed
2016-09-26 11:36:05.828 nscurl[72079:4238506] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS