tls_alert->internal error error when trying replication with https and client certificate

[raulmartinezr]

Hello!

Time ago we tried a couch to cocuh replication with HTTPS and client certificates without success (here)

Now we have a different landscape

• Client couchdb replicating docs from server. SSL termination in a HAProxy loadbalancer (https://server-db-hosname:7954)
• Server couchdb behind a HAProxy loadbalancer

HA Loadbalancer seems to be well configured:

• Accesible via browser with certificate
• Accesible with openssl with certificate
• Accesible with CURL with certificate

When we configure a replication server->client, then we see this error

TLS client: In state certify at ssl_handshake.erl:339 generated CLIENT ALERT: Fatal - Internal Error - {unexpected_error,{case_clause,{error,{asn1,{...}}}}}

[notice] 2021-09-21T08:50:56.463953Z nonode@nohost <0.472.0> -------- couch_replicator_scheduler: Job {"44840fd5eee403be79d3990eb6e98441","+continuous+create_target"} started as <0.21425.0>
[info] 2021-09-21T08:50:59.222391Z nonode@nohost <0.21559.0> -------- TLS client: In state certify at ssl_handshake.erl:339 generated CLIENT ALERT: Fatal - Internal Error - {unexpected_error,{case_clause,{error,{asn1,{...}}}}}

[error] 2021-09-21T08:50:59.222979Z nonode@nohost <0.21425.0> -------- couch_replicator_httpc: auth plugin initialization failed "https://server-db-hosname:7954/adsj-val/" {session_request_failed,"https://server-db-hosname:7954/_session","admin",{conn_failed,{error,{tls_alert,"internal error"}}}}
[error] 2021-09-21T08:50:59.223643Z nonode@nohost <0.21425.0> -------- throw:{replication_auth_error,{session_request_failed,"https://db.srv.das-gate.com:7984/_session","admin",{conn_failed,{error,{tls_alert,"internal error"}}}}}: Replication 44840fd5eee403be79d3990eb6e98441+continuous+create_target failed to start "https://server-db-hosname:7954/adsj-val/" -> "http://127.0.0.1:5984/adsj/" doc <<"shards/00000000-7fffffff/_replicator.1632211164">>:<<"fff0c93f6121757aeb14b7e740000e56">> stack

This is the configuration for the replicator

[replicator]
cert_file = /opt/couchdb/etc/local.d/cert.pem
key_file = /opt/couchdb/etc/local.d/key.pem
verify_ssl_certificates = false
ssl_trusted_certificates_file = /opt/couchdb/etc/local.d/cas.pem
ssl_certificate_max_depth = 10

And running curl with same files:

curl --cert /opt/couchdb/etc/local.d/cert.pem --cacert /opt/couchdb/etc/local.d/cas.pem --key /opt/couchdb/etc/local.d/key.pem https://server-db-hosname:7954 -k
{"couchdb":"Welcome","version":"3.1.1","git_sha":"ce596c65d","uuid":"a4c0f58d-c456-4875-bbdb-ef97b1d41bf5","features":["search","access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

I tried to relax TLS setup in HA Proxy as per https://ssl-config.mozilla.org/#server=haproxy but not luck.

Do you know what could be the cause? Do you have some example to make it run?

Any help would be appreciated! Thanks!
Raúl

[rmartinez-dasnano]

I found the solution. The certificate was the problem.

This issue in @erlang gave me the hint
https://bugs.erlang.org/browse/ERL-1052

BR,
Raúl