Upgrading Sync Gateway from 1.2 to 1.3 results in fatal error

jcnw · September 23, 2016, 6:57pm

sync_gateway config files.zip (1.4 KB)
Hi. I get the following error when trying to start sync gateway after upgrading from 1.2 to 1.3:

2016-09-23T13:06:50.727-05:00 ==== Couchbase Sync Gateway/1.3.0(274;8c3ee28) ====
2016-09-23T13:06:50.727-05:00 requestedSoftFDLimit < currentSoftFdLimit (5000 < 65535) no action needed
2016-09-23T13:06:50.727-05:00 Opening db /db as bucket "test_app", pool "default", server <    https://myserver:8091>    
2016-09-23T13:06:50.727-05:00 Opening Couchbase database test_app on <https://myserver:8091>
2016-09-23T13:06:50.730-05:00 FATAL: Error opening database: 502  Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port.  Detailed error: Get https://myserver:8091/pools: tls: oversized record received with length 20527 -- rest.RunServer() at config.go:681

Changing the sync gateway config file allowed me to successfully restart sync gateway:

Old:

"adminInterface": "localhost:4985",
"databases":<dbname>:"server": "https://myserver:8091",

New:

"adminInterface": "myserver:4985",
"databases":<dbname>:"server": "http://myserver:8091",

Why was it necessary to change the sync gateway configuration file? In case it helps, please see the attached zip file for the 2 config files.

Thanks!
J.C.

jens · September 23, 2016, 7:49pm

Your Couchbase Server isn’t serving HTTPS at port 8091, just regular unencrypted HTTP. So the URL https://myserver:8091 isn’t valid. SG tried to open an SSL connection and the handshake failed because it wasn’t receiving SSL data.

Did you change your db server configuration lately? Otherwise I don’t know how this would ever have worked.

jcnw · September 23, 2016, 7:57pm

Nope, haven’t changed it lately. Everything worked just fine when we were using SG 1.2 and the old config file. However, if it makes a difference, we’re using Couchbase Server 4.1.0-5005 in addition to Sync Gateway 1.3.

jens · September 23, 2016, 9:52pm

Did you set up SSL on your Couchbase Server? If so, what port is it serving SSL on?

jcnw · September 23, 2016, 9:58pm

Yes, 443. My colleague reminded me that we have Nginx configured as well.

jens · September 23, 2016, 11:44pm

Then the server URL in your config should be https://myserver:443, right?

jcnw · September 23, 2016, 11:50pm

That’s what we originally had. And this worked with SG 1.2. But for some reason, upgrading to 1.3 broke things.

jens · September 24, 2016, 12:03am

But that’s not what you originally said:

You said port 8091, not 443.

jcnw · September 24, 2016, 12:22am

Sorry, just to clarify: By “old” I meant that that was the working configuration I was using for SG 1.2. Upgrading to SG 1.3 resulted in the error above. Between upgrades, I hadn’t touched any other configuration files.

Per your suggestion, I tried changing this line from

"databases":<dbname>:"server": "https://myserver:8091",

to

"databases":<dbname>:"server": "https://myserver:443",

and got this error instead when restarting SG:

2016-09-23T19:17:28.094-05:00 ==== Couchbase Sync Gateway/1.3.0(274;8c3ee28) ====
2016-09-23T19:17:28.094-05:00 requestedSoftFDLimit < currentSoftFdLimit (5000 < 65535) no action needed
2016-09-23T19:17:28.094-05:00 Opening db /db as bucket "test_app", pool "default", server <https://vtfsmpmcouch01.fsm.northwestern.edu:443>
2016-09-23T19:17:28.095-05:00 Opening Couchbase database test_app on <https://vtfsmpmcouch01.fsm.northwestern.edu:443>
2016-09-23T19:17:28.120-05:00 FATAL: Error opening database: 502  Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port.  Detailed error: HTTP error 502 Bad Gateway getting "https://vtfsmpmcouch01.fsm.northwestern.edu:443/pools": 
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.10.0</center>
</body>
</html>
 -- rest.RunServer() at config.go:681
2016-09-23T19:17:28.500-05:00 Enabling logging: [*]

jens · September 24, 2016, 3:57pm

Well, anyway: The correct URL to use is whatever the URL is for the REST interface of your Couchbase Server.

It definitely looks like the URL you were using with 1.2 was wrong, since the db server isn’t serving SSL on port 8091, but for some reason it worked with SG 1.2. I don’t know why …

(My only hypothesis is that maybe Go’s net/http package used to automatically downgrade to cleartext when it couldn’t make an SSL connection, but that they took that behavior out in the version of Go that SG 1.3 is built with? I think this is unlikely, though, because silently downgrading to cleartext would be a terrible idea from a security standpoint.)

Anyway, it sounds like you’ve got things working now, so maybe it’s best to just get on with life

jcnw · September 26, 2016, 4:48pm

Posting this here from Github in case it helps anyone else:

The issue was with App Transport Security Settings. With Couchbase Lite 1.2, the value of NSExceptionMinimumTLSVersion was TLSv1.2. After upgrading to Couchbase Lite 1.3.1 syncing just stopped working. Changing the value of NSExceptionMinimumTLSVersion to TLSv1.0 fixed everything.

I stumbled upon this SO Post, which suggested the use of

nscurl --ats-diagnostics https://example.com

The output basically clued me into the TLS minimum version:

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for vtfsmpmcouch01.fsm.northwestern.edu

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
2016-09-26 11:36:05.769 nscurl[72079:4238506] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
2016-09-26 11:36:05.828 nscurl[72079:4238506] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : PASS
---