Certificate Error Handling

Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.

Root Certificate Errors

The following error messages may be encountered when configuring a CA certificate. For examples of using the openssl command to generate and inspect certificates, see Configure Server Certificates.

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
`CA certificate for this chain is not found in the list of trusted CA’s`	The CA certificate used to sign the node certificate is not in the cluster’s trust store.	Copy the CA into the `inbox/CA` directory, then load all trusted CAs.
`Couldn’t load CA certificate from <pathname>/inbox/CA. The file does not exist.`	The CA certificate was not copied into the `inbox/CA` directory, before the attempt to load it was made.	Copy the CA certificate into the `inbox/CA` directory, then load the CA certificate.
`Certificate should not be empty`	The request body of the certificate is empty.	Inspect the certificate file using the `openssl` command, and verify whether it is empty or not.
`Certificate is not valid at this time`	The certificate either has expired, or is not yet valid.	Inspect the certificate file using the `openssl` command, and verify whether the certificate’s validity-dates (`Not Before`, and `Not After`) are currently valid, in correspondence with server-clock time.
`Malformed certificate`	The certificate contains incorrect content.	Check the validity of the certificate, using `openssl`, and if necessary, create a new certificate.
`Only one certificate per request is allowed`	The file inappropriately contains more than one key or certificate.	Inspect the certificate, and recreate if necessary.
`Invalid certificate type: ~s`	Appears when a header other than `BEGIN CERTIFICATE` has been found.	Inspect the certificate, and verify its validity. Recreate the certificate if necessary

CA certificate for this chain is not found in the list of trusted CA’s

The CA certificate used to sign the node certificate is not in the cluster’s trust store.

Copy the CA into the inbox/CA directory, then load all trusted CAs.

Couldn’t load CA certificate from <pathname>/inbox/CA. The file does not exist.

The CA certificate was not copied into the inbox/CA directory, before the attempt to load it was made.

Copy the CA certificate into the inbox/CA directory, then load the CA certificate.

Certificate should not be empty

The request body of the certificate is empty.

Inspect the certificate file using the openssl command, and verify whether it is empty or not.

Certificate is not valid at this time

The certificate either has expired, or is not yet valid.

Inspect the certificate file using the openssl command, and verify whether the certificate’s validity-dates (Not Before, and Not After) are currently valid, in correspondence with server-clock time.

Malformed certificate

The certificate contains incorrect content.

Check the validity of the certificate, using openssl, and if necessary, create a new certificate.

Only one certificate per request is allowed

The file inappropriately contains more than one key or certificate.

Inspect the certificate, and recreate if necessary.

Invalid certificate type: ~s

Appears when a header other than BEGIN CERTIFICATE has been found.

Inspect the certificate, and verify its validity. Recreate the certificate if necessary

Node Certificate Errors

The following error messages may be encountered when configuring and deploying the node certificate:

Couchbase Error Message Description Suggested User Action

Couchbase Error Message	Description	Suggested User Action
Unable to read private key file <pathname>/inbox/pkey.key. The file does not exist.`	The private key is not in the `inbox` directory.	Ensure that the private key for the node certificate has been copied to the `inbox` folder of the current node.
Unable to read private key file <pathname>/inbox/pkey.key. Missing permission for reading the file, or for searching one of the parent directories.`	The private key is in the `inbox` directory, but is not readable by user `couchbase`.	Ensure that the key is readable by user `couchbase`.
`Incorrectly configured certificate chain`	Denotes an invalid certificate in the chain file.	The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.
`Invalid private key type`	The private key has an unsupported header.	Make sure that a valid private key file has been created and copied to the inbox of the current node.
`Provided certificate doesn’t match provided private key`	The certificate does not recognize the message signed with a private key.	Be sure that the mutually corresponding private key and chain file are being used.
`Provided private key contains incorrect number of entries`	The private key inappropriately contains more than one entry.	The private key file should contain only a single entry.
`Malformed or unsupported private key format`	The private key cannot be used, due to an inappropriate format.	Inspect the private key, verify whether it is valid; and recreate if necessary.
`File does not exist`	The file is missing, does not exist.	Add the missing file.
`Missing permission for reading the file, or for searching one of the parent directories`	Current permissions do not permit the reading of the file or the searching of its parent directories.	Change the permissions to permit reading and searching.
`Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs`	The node certificate does not contain the required IP-address Subject Alternative Name.	Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.
`Certificate is valid for <ip-address-1>, not <ip-address-2>`	The node certificate contains an incorrect IP-address Subject Alternative Name.	Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.

Unable to read private key file <pathname>/inbox/pkey.key. The file does not exist.`

The private key is not in the inbox directory.

Ensure that the private key for the node certificate has been copied to the inbox folder of the current node.

Unable to read private key file <pathname>/inbox/pkey.key. Missing permission for reading the file, or for searching one of the parent directories.`

The private key is in the inbox directory, but is not readable by user couchbase.

Ensure that the key is readable by user couchbase.

Incorrectly configured certificate chain

Denotes an invalid certificate in the chain file.

The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing.

Invalid private key type

The private key has an unsupported header.

Make sure that a valid private key file has been created and copied to the inbox of the current node.

Provided certificate doesn’t match provided private key

The certificate does not recognize the message signed with a private key.

Be sure that the mutually corresponding private key and chain file are being used.

Provided private key contains incorrect number of entries

The private key inappropriately contains more than one entry.

The private key file should contain only a single entry.

Malformed or unsupported private key format

The private key cannot be used, due to an inappropriate format.

Inspect the private key, verify whether it is valid; and recreate if necessary.

File does not exist

The file is missing, does not exist.

Add the missing file.

Missing permission for reading the file, or for searching one of the parent directories

Current permissions do not permit the reading of the file or the searching of its parent directories.

Change the permissions to permit reading and searching.

Cannot validate certificate for <ip-address> because it doesn’t contain any IP SANs

The node certificate does not contain the required IP-address Subject Alternative Name.

Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates.

Certificate is valid for <ip-address-1>, not <ip-address-2>

The node certificate contains an incorrect IP-address Subject Alternative Name.

Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates.