Apache and Couchdb use same certificate


#1

I have a VPS that’s personally managed and has WordPress installed. I was able to use tutorials to get Letsencrypt SSL enabled and all is working perfectly. However, now I’d like to add Couchdb to my server to develop and test self written applications.

Is it possible to have the Apache web server and Couchdb use the same certificate (and file), or will I have to setup and use a separate certificate with the same domain specific to the Couchdb application?

Can’t mentally wrap my head around two certs with the same domain/host?


#2

Hi,

Of course! The file is right there, you could use it in all programs that support it (if you think it’s appropriate for you). There’s no need to request another certificate for this matter.

However, please note that you might need to reload / restart the CouchDB everytime your certificate renews since it (normally) would not pick up the latest one automatically.

You could request a new certificate for CouchDB, but it’s kind of waste of your rate limit in my opinion.

Thank you


#3

Doesn’t CouchDB support a feature like “reloading”? Most services do to reload the configuration file without downtime.


#4

You are right…

I always get confused bt reload & restart (although i use reload everytime…)


#5

It was an honest question, I don’t know CouchDB. A quick Google search let’s me know CouchDB probably doesn’t support reloading… :open_mouth:


#6

Emm… I don’t know that either…

Trying to edit my answer to make it appropriate…


#7

Although it’s not required, it’s possible. Certificates in the web PKI make positive assertions, not negative assertions. So certificates that cover the same name don’t contradict each other. A certificate says “this encryption key is OK to use for this name”, rather than “this encryption key is the only key that’s OK to use for this name”.

Some cases where there are likely to be multiple certificates valid for the same name at the same time:

  • Load balancing and content-delivery networks, where there can be more than one server or device that answers requests for the same site

  • Different servers for the same site in different countries, which could be operated on separate infrastructure and have independent certificates

  • Ordinary certificate renewal, where the new certificate is issued before the old certificate expires; it doesn’t invalidate the old one and both will be valid at once (and so this happens constantly when people follow Let’s Encrypt’s renewal guidelines and renew 30 days prior to expiry; during those 30 days, both the old certificate and the new certificate are valid at the same time)


#8

Thanks all,

From what I can see, it looks like Couchdb does not support a reload. However, since it’s just for my own testing, I think I can edit the cron job that does the cert renewal and just have it restart Couchdb as part of that process. I can afford the short downtime of a stop-start operation.

My thanks to you all :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.