Handle Certificate Errors
Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.
Cluster Certificate Errors
The following error messages may be encountered when configuring the cluster CA certificate:
Couchbase Error Message | Description | Suggested User Action |
---|---|---|
|
This error message can occur if the request body of the certificate is empty. |
Open the certificate file, and verify whether it is empty or not. The certificate file should be readable using openssl or via online SSL tools such as sslchecker. |
|
This error message can occur if the certificate has expired, or is not yet valid. |
Verify whether the certificate validity-dates (begins on, and expires on) are currently valid corresponding to the server clock time. |
|
This error message can occur due to many reasons - an extra space in the certificate digest body, incorrect certificate format, and so on. |
Use a properly configured certificate, and make sure it’s readable, using
and ends with
on a new line with no spaces before or after. |
|
Appears when the file contains more than one key or certificate. |
Open the |
|
This error message can occur if you are trying to load a certificate that is encrypted. Verify by opening the certificate file. If you see something similar to the line shown below, you will know your certificate is encrypted.:
|
Couchbase does not support encrypted certificates.
Decrypt the certificate with
|
|
Appears when a header other than |
Open the certificate file, and verify whether it is a valid certificate.
The certificate file should be readable using |
Node Certificate Errors
The following error messages may be encountered when configuring the node certificate:
Couchbase Error Message | Description | Suggested User Action |
---|---|---|
|
This error can occur when your cluster is still using the self-generated certificate, and you are attempting to configure a node certificate. |
Set up the cluster CA certificate before configuring the per node certificate. |
|
Denotes an invalid certificate in the chain file when configuring Couchbase. |
Chain file should contain a sequence of PEM (base64) encoded X.509 certificates ordered from leaf to and including the intermediate certificate authorities. |
|
|
Make sure that you have copied an unencrypted version of the private key file to the inbox folder on the Couchbase node. |
|
|
Make sure that you have copied an unencrypted version of the chain file to the inbox folder on the Couchbase node. |
|
The private key has an unsupported header. |
Make sure that you use a valid private key file. |
|
The certificate doesn’t recognize the message signed with a private key. |
Be sure that you use a complete key pair |
|
The private key is encrypted. |
Couchbase does not support encrypted keys. You should decrypt the private key with OpenSSL before loading the certificate in Couchbase. |
|
The private key is a chain of entries. |
The private key file should contain a single key digest. |
|
The private key cannot be used. |
Open the key file, and verify whether it is a valid private key.
The certificate file should be readable using |
|
The file is missing, does not exist. |
Add the missing file. |
|
You don’t have the proper permissions to read the file or to search its parent directories. |
Change the permissions to allow you to read the file. |