Certificate Error Handling

    +
    Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.

    Cluster Certificate Errors

    The following error messages may be encountered when configuring the cluster CA certificate. For examples of using the openssl command to generate and inspect certificates, see Configure Server Certificates.

    Couchbase Error Message Description Suggested User Action

    Certificate should not be empty

    The request body of the certificate is empty.

    Inspect the certificate file using the openssl command, and verify whether it is empty or not.

    Certificate is not valid at this time

    The certificate either has expired, or is not yet valid.

    Inspect the certificate file using the openssl command, and verify whether the certificate’s validity-dates (Not Before, and Not After) are currently valid, in correspondence with server-clock time.

    Malformed certificate

    The certificate contains incorrect content.

    Check the validity of the certificate, using openssl, and if necessary, create a new certificate.

    Only one certificate per request is allowed

    The file inappropriately contains more than one key or certificate.

    Inspect the certificate, and recreate if necessary.

    Invalid certificate type: ~s

    Appears when a header other than BEGIN CERTIFICATE has been found.

    Inspect the certificate, and verify its validity. Recreate the certificate if necessary

    Node Certificate Errors

    The following error messages may be encountered when configuring the node certificate:

    Couchbase Error Message Description Suggested User Action

    Cluster CA needs to be set before setting node certificate

    The cluster root certificate has not been established.

    Set up the cluster CA certificate; then continue by creating the node certificate.

    Incorrectly configured certificate chain

    Denotes an invalid certificate in the chain file.

    The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.

    Unable to read private key file

    The private key cannot be read.

    Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

    Unable to read certificate chain file

    The chain file cannot be read.

    Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

    Invalid private key type

    The private key has an unsupported header.

    Make sure that a valid private key file has been created and copied to the inbox of the current node.

    Provided certificate doesn’t match provided private key

    The certificate does not recognize the message signed with a private key.

    Be sure that the mutually corresponding private key and chain file are being used.

    Provided private key contains incorrect number of entries

    The private key inappropriately contains more than one entry.

    The private key file should contain only a single entry.

    Malformed or unsupported private key format

    The private key cannot be used, due to an inappropriate format.

    Inspect the private key, verify whether it is valid; and recreate if necessary.

    File does not exist

    The file is missing, does not exist.

    Add the missing file.

    Missing permission for reading the file, or for searching one of the parent directories

    Current permissions do not permit the reading of the file or the searching of its parent directories.

    Change the permissions to permit reading and searching.

    Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs

    The node certificate does not contain the required IP-address Subject Alternative Name.

    Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.

    Certificate is valid for <ip-address-1>, not <ip-address-2>

    The node certificate contains an incorrect IP-address Subject Alternative Name.

    Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.