Handle Certificate Errors

Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.

Cluster Certificate Errors

The following error messages may be encountered when configuring the cluster CA certificate:

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
`Certificate should not be empty`	This error message can occur if the request body of the certificate is empty.	Open the certificate file, and verify whether it is empty or not. The certificate file should be readable using openssl or via online SSL tools such as sslchecker.
`Certificate is not valid at this time`	This error message can occur if the certificate has expired, or is not yet valid.	Verify whether the certificate validity-dates (begins on, and expires on) are currently valid corresponding to the server clock time.
`Malformed certificate`	This error message can occur due to many reasons - an extra space in the certificate digest body, incorrect certificate format, and so on.	Use a properly configured certificate, and make sure it’s readable, using `openssl`. It should look as follows: Certificate begins with `-----BEGIN CERTIFICATE-----` and ends with `-----END CERTIFICATE-----` on a new line with no spaces before or after.
`Only one certificate per request is allowed`	Appears when the file contains more than one key or certificate.	Open the `.pem` file, and make sure that it has only a single certificate digest (such as single `BEGIN CERTIFICATE,` `END CERTIFICATE` pragmas).
`Encrypted certificates are not supported`	This error message can occur if you are trying to load a certificate that is encrypted. Verify by opening the certificate file. If you see something similar to the line shown below, you will know your certificate is encrypted.: `-----BEGIN RSA PRIVATE KEY-----`	Couchbase does not support encrypted certificates. Decrypt the certificate with `openssl` before loading the certificate in Couchbase. `openssl rsa -in privateKey.pem -out newPrivateKey.pem`
`Invalid certificate type: ~s`	Appears when a header other than `BEGIN CERTIFICATE` has been found.	Open the certificate file, and verify whether it is a valid certificate. The certificate file should be readable using `openssl` or via online SSL tools such as sslchecker.

Certificate should not be empty

This error message can occur if the request body of the certificate is empty.

Open the certificate file, and verify whether it is empty or not. The certificate file should be readable using openssl or via online SSL tools such as sslchecker.

Certificate is not valid at this time

This error message can occur if the certificate has expired, or is not yet valid.

Verify whether the certificate validity-dates (begins on, and expires on) are currently valid corresponding to the server clock time.

Malformed certificate

This error message can occur due to many reasons - an extra space in the certificate digest body, incorrect certificate format, and so on.

Use a properly configured certificate, and make sure it’s readable, using openssl. It should look as follows: Certificate begins with

-----BEGIN CERTIFICATE-----

and ends with

-----END CERTIFICATE-----

on a new line with no spaces before or after.

Only one certificate per request is allowed

Appears when the file contains more than one key or certificate.

Open the .pem file, and make sure that it has only a single certificate digest (such as single BEGIN CERTIFICATE, END CERTIFICATE pragmas).

Encrypted certificates are not supported

This error message can occur if you are trying to load a certificate that is encrypted. Verify by opening the certificate file. If you see something similar to the line shown below, you will know your certificate is encrypted.:

-----BEGIN RSA PRIVATE KEY-----

Couchbase does not support encrypted certificates. Decrypt the certificate with openssl before loading the certificate in Couchbase.

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Invalid certificate type: ~s

Appears when a header other than BEGIN CERTIFICATE has been found.

Open the certificate file, and verify whether it is a valid certificate. The certificate file should be readable using openssl or via online SSL tools such as sslchecker.

Node Certificate Errors

The following error messages may be encountered when configuring the node certificate:

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
`Cluster CA needs to be set before setting node certificate`	This error can occur when your cluster is still using the self-generated certificate, and you are attempting to configure a node certificate.	Set up the cluster CA certificate before configuring the per node certificate.
`Incorrectly configured certificate chain. <Error>`	Denotes an invalid certificate in the chain file when configuring Couchbase.	Chain file should contain a sequence of PEM (base64) encoded X.509 certificates ordered from leaf to and including the intermediate certificate authorities.
`Unable to read private key file <Path>. <Error>`	`<Error>` is one of the file read errors.	Make sure that you have copied an unencrypted version of the private key file to the inbox folder on the Couchbase node.
`Unable to read certificate chain file <Path>. <Error>`	`<Error>` is one of the file read errors.	Make sure that you have copied an unencrypted version of the chain file to the inbox folder on the Couchbase node.
`Invalid private key type: <Type>`	The private key has an unsupported header.	Make sure that you use a valid private key file.
`Provided certificate doesn’t match provided private key`	The certificate doesn’t recognize the message signed with a private key.	Be sure that you use a complete key pair
`Encrypted keys are not supported`	The private key is encrypted.	Couchbase does not support encrypted keys. You should decrypt the private key with OpenSSL before loading the certificate in Couchbase.
`Provided private key contains incorrect number of entries`	The private key is a chain of entries.	The private key file should contain a single key digest.
`Malformed or unsupported private key format`	The private key cannot be used.	Open the key file, and verify whether it is a valid private key. The certificate file should be readable using `openssl`.
`File does not exist`	The file is missing, does not exist.	Add the missing file.
`Missing permission for reading the file, or for searching one of the parent directories`	You don’t have the proper permissions to read the file or to search its parent directories.	Change the permissions to allow you to read the file.

Cluster CA needs to be set before setting node certificate

This error can occur when your cluster is still using the self-generated certificate, and you are attempting to configure a node certificate.

Set up the cluster CA certificate before configuring the per node certificate.

Incorrectly configured certificate chain. <Error>

Denotes an invalid certificate in the chain file when configuring Couchbase.

Chain file should contain a sequence of PEM (base64) encoded X.509 certificates ordered from leaf to and including the intermediate certificate authorities.

Unable to read private key file <Path>. <Error>

<Error> is one of the file read errors.

Make sure that you have copied an unencrypted version of the private key file to the inbox folder on the Couchbase node.

Unable to read certificate chain file <Path>. <Error>

<Error> is one of the file read errors.

Make sure that you have copied an unencrypted version of the chain file to the inbox folder on the Couchbase node.

Invalid private key type: <Type>

The private key has an unsupported header.

Make sure that you use a valid private key file.

Provided certificate doesn’t match provided private key

The certificate doesn’t recognize the message signed with a private key.

Be sure that you use a complete key pair

Encrypted keys are not supported

The private key is encrypted.

Couchbase does not support encrypted keys. You should decrypt the private key with OpenSSL before loading the certificate in Couchbase.

Provided private key contains incorrect number of entries

The private key is a chain of entries.

The private key file should contain a single key digest.

Malformed or unsupported private key format

The private key cannot be used.

Open the key file, and verify whether it is a valid private key. The certificate file should be readable using openssl.

File does not exist

The file is missing, does not exist.

Add the missing file.

Missing permission for reading the file, or for searching one of the parent directories

You don’t have the proper permissions to read the file or to search its parent directories.

Change the permissions to allow you to read the file.