Certificate Error Handling

    +
    Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.

    Root Certificate Errors

    The following error messages may be encountered when configuring a CA certificate. For examples of using the openssl command to generate and inspect certificates, see Configure Server Certificates.

    Couchbase Error Message Description Suggested User Action

    CA certificate for this chain is not found in the list of trusted CA’s

    The CA certificate used to sign the node certificate is not in the cluster’s trust store.

    Copy the CA into the inbox/CA directory, then load all trusted CAs.

    Couldn’t load CA certificate from <pathname>/inbox/CA. The file does not exist.

    The CA certificate was not copied into the inbox/CA directory, before the attempt to load it was made.

    Copy the CA certificate into the inbox/CA directory, then load the CA certificate.

    Certificate should not be empty

    The request body of the certificate is empty.

    Inspect the certificate file using the openssl command, and verify whether it is empty or not.

    Certificate is not valid at this time

    The certificate either has expired, or is not yet valid.

    Inspect the certificate file using the openssl command, and verify whether the certificate’s validity-dates (Not Before, and Not After) are currently valid, in correspondence with server-clock time.

    Malformed certificate

    The certificate contains incorrect content.

    Check the validity of the certificate, using openssl, and if necessary, create a new certificate.

    Only one certificate per request is allowed

    The file inappropriately contains more than one key or certificate.

    Inspect the certificate, and recreate if necessary.

    Invalid certificate type: ~s

    Appears when a header other than BEGIN CERTIFICATE has been found.

    Inspect the certificate, and verify its validity. Recreate the certificate if necessary

    Node Certificate Errors

    The following error messages may be encountered when configuring and deploying the node certificate:

    Couchbase Error Message Description Suggested User Action

    Unable to read private key file <pathname>/inbox/pkey.key. The file does not exist.`

    The private key is not in the inbox directory.

    Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

    Unable to read private key file <pathname>/inbox/pkey.key. Missing permission for reading the file, or for searching one of the parent directories.`

    The private key is in the inbox directory, but is not readable by user couchbase.

    Ensure that the key is readable by user couchbase.

    Incorrectly configured certificate chain

    Denotes an invalid certificate in the chain file.

    The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.

    Invalid private key type

    The private key has an unsupported header.

    Make sure that a valid private key file has been created and copied to the inbox of the current node.

    Provided certificate doesn’t match provided private key

    The certificate does not recognize the message signed with a private key.

    Be sure that the mutually corresponding private key and chain file are being used.

    Provided private key contains incorrect number of entries

    The private key inappropriately contains more than one entry.

    The private key file should contain only a single entry.

    Malformed or unsupported private key format

    The private key cannot be used, due to an inappropriate format.

    Inspect the private key, verify whether it is valid; and recreate if necessary.

    File does not exist

    The file is missing, does not exist.

    Add the missing file.

    Missing permission for reading the file, or for searching one of the parent directories

    Current permissions do not permit the reading of the file or the searching of its parent directories.

    Change the permissions to permit reading and searching.

    Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs

    The node certificate does not contain the required IP-address Subject Alternative Name.

    Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.

    Certificate is valid for <ip-address-1>, not <ip-address-2>

    The node certificate contains an incorrect IP-address Subject Alternative Name.

    Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.