Apache and Couchdb use same certificate

Durnik · October 2, 2018, 4:22am

I have a VPS that’s personally managed and has WordPress installed. I was able to use tutorials to get Letsencrypt SSL enabled and all is working perfectly. However, now I’d like to add Couchdb to my server to develop and test self written applications.

Is it possible to have the Apache web server and Couchdb use the same certificate (and file), or will I have to setup and use a separate certificate with the same domain specific to the Couchdb application?

Can’t mentally wrap my head around two certs with the same domain/host?

stevenzhu · October 2, 2018, 4:35am

Hi,

Of course! The file is right there, you could use it in all programs that support it (if you think it's appropriate for you). There's no need to request another certificate for this matter.

However, please note that you might need to reload / restart the CouchDB everytime your certificate renews since it (normally) would not pick up the latest one automatically.

You could request a new certificate for CouchDB, but it's kind of waste of your rate limit in my opinion.

Thank you

Osiris · October 2, 2018, 5:02am

Doesn’t CouchDB support a feature like “reloading”? Most services do to reload the configuration file without downtime.

stevenzhu · October 2, 2018, 5:04am

You are right…

I always get confused bt reload & restart (although i use reload everytime…)

Osiris · October 2, 2018, 5:08am

It was an honest question, I don’t know CouchDB. A quick Google search let’s me know CouchDB probably doesn’t support reloading…

stevenzhu · October 2, 2018, 5:21am

Emm… I don’t know that either…

Trying to edit my answer to make it appropriate…

schoen · October 2, 2018, 6:36am

Although it's not required, it's possible. Certificates in the web PKI make positive assertions, not negative assertions. So certificates that cover the same name don't contradict each other. A certificate says "this encryption key is OK to use for this name", rather than "this encryption key is the only key that's OK to use for this name".

Some cases where there are likely to be multiple certificates valid for the same name at the same time:

Load balancing and content-delivery networks, where there can be more than one server or device that answers requests for the same site
Different servers for the same site in different countries, which could be operated on separate infrastructure and have independent certificates
Ordinary certificate renewal, where the new certificate is issued before the old certificate expires; it doesn't invalidate the old one and both will be valid at once (and so this happens constantly when people follow Let's Encrypt's renewal guidelines and renew 30 days prior to expiry; during those 30 days, both the old certificate and the new certificate are valid at the same time)

Durnik · October 2, 2018, 2:47pm

Thanks all,

From what I can see, it looks like Couchdb does not support a reload. However, since it’s just for my own testing, I think I can edit the cron job that does the cert renewal and just have it restart Couchdb as part of that process. I can afford the short downtime of a stop-start operation.

My thanks to you all

system · November 1, 2018, 2:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.