A newer version of this documentation is available.

Certificate Error Handling

March 16, 2025

+ 12

Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.

Cluster Certificate Errors

The following error messages may be encountered when configuring the cluster CA certificate. For examples of using the openssl command to generate and inspect certificates, see Configure Server Certificates.

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
`Certificate should not be empty`	The request body of the certificate is empty.	Inspect the certificate file using the `openssl` command, and verify whether it is empty or not.
`Certificate is not valid at this time`	The certificate either has expired, or is not yet valid.	Inspect the certificate file using the `openssl` command, and verify whether the certificate’s validity-dates (`Not Before`, and `Not After`) are currently valid, in correspondence with server-clock time.
`Malformed certificate`	The certificate contains incorrect content.	Check the validity of the certificate, using `openssl`, and if necessary, create a new certificate.
`Only one certificate per request is allowed`	The file inappropriately contains more than one key or certificate.	Inspect the certificate, and recreate if necessary.
`Invalid certificate type: ~s`	Appears when a header other than `BEGIN CERTIFICATE` has been found.	Inspect the certificate, and verify its validity. Recreate the certificate if necessary

Certificate should not be empty

The request body of the certificate is empty.

Inspect the certificate file using the openssl command, and verify whether it is empty or not.

Certificate is not valid at this time

The certificate either has expired, or is not yet valid.

Inspect the certificate file using the openssl command, and verify whether the certificate’s validity-dates (Not Before, and Not After) are currently valid, in correspondence with server-clock time.

Malformed certificate

The certificate contains incorrect content.

Check the validity of the certificate, using openssl, and if necessary, create a new certificate.

Only one certificate per request is allowed

The file inappropriately contains more than one key or certificate.

Inspect the certificate, and recreate if necessary.

Invalid certificate type: ~s

Appears when a header other than BEGIN CERTIFICATE has been found.

Inspect the certificate, and verify its validity. Recreate the certificate if necessary

Node Certificate Errors

The following error messages may be encountered when configuring the node certificate:

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
`Cluster CA needs to be set before setting node certificate`	The cluster root certificate has not been established.	Set up the cluster CA certificate; then continue by creating the node certificate.
`Incorrectly configured certificate chain`	Denotes an invalid certificate in the chain file.	The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.
`Unable to read private key file`	The private key cannot be read.	Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.
`Unable to read certificate chain file`	The chain file cannot be read.	Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.
`Invalid private key type`	The private key has an unsupported header.	Make sure that a valid private key file has been created and copied to the inbox of the current node.
`Provided certificate doesn’t match provided private key`	The certificate does not recognize the message signed with a private key.	Be sure that the mutually corresponding private key and chain file are being used.
`Provided private key contains incorrect number of entries`	The private key inappropriately contains more than one entry.	The private key file should contain only a single entry.
`Malformed or unsupported private key format`	The private key cannot be used, due to an inappropriate format.	Inspect the private key, verify whether it is valid; and recreate if necessary.
`File does not exist`	The file is missing, does not exist.	Add the missing file.
`Missing permission for reading the file, or for searching one of the parent directories`	Current permissions do not permit the reading of the file or the searching of its parent directories.	Change the permissions to permit reading and searching.
`Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs`	The node certificate does not contain the required IP-address Subject Alternative Name.	Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.
`Certificate is valid for <ip-address-1>, not <ip-address-2>`	The node certificate contains an incorrect IP-address Subject Alternative Name.	Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.

Cluster CA needs to be set before setting node certificate

The cluster root certificate has not been established.

Set up the cluster CA certificate; then continue by creating the node certificate.

Incorrectly configured certificate chain

Denotes an invalid certificate in the chain file.

The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.

Unable to read private key file

The private key cannot be read.

Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

Unable to read certificate chain file

The chain file cannot be read.

Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

Invalid private key type

The private key has an unsupported header.

Make sure that a valid private key file has been created and copied to the inbox of the current node.

Provided certificate doesn’t match provided private key

The certificate does not recognize the message signed with a private key.

Be sure that the mutually corresponding private key and chain file are being used.

Provided private key contains incorrect number of entries

The private key inappropriately contains more than one entry.

The private key file should contain only a single entry.

Malformed or unsupported private key format

The private key cannot be used, due to an inappropriate format.

Inspect the private key, verify whether it is valid; and recreate if necessary.

File does not exist

The file is missing, does not exist.

Add the missing file.

Missing permission for reading the file, or for searching one of the parent directories

Current permissions do not permit the reading of the file or the searching of its parent directories.

Change the permissions to permit reading and searching.

Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs

The node certificate does not contain the required IP-address Subject Alternative Name.

Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.

Certificate is valid for <ip-address-1>, not <ip-address-2>

The node certificate contains an incorrect IP-address Subject Alternative Name.

Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.