Certificate Error Handling
Specific errors can arise from use of X.509 certificates: these should be recognized and appropriately dealt with.
Root Certificate Errors
The following error messages may be encountered when configuring a CA certificate.
For examples of using the openssl
command to generate and inspect certificates, see Configure Server Certificates.
Couchbase Error Message | Description | Suggested User Action |
---|---|---|
|
The CA certificate used to sign the node certificate is not in the cluster’s trust store. |
Copy the CA into the |
|
The CA certificate was not copied into the |
Copy the CA certificate into the |
|
The request body of the certificate is empty. |
Inspect the certificate file using the |
|
The certificate either has expired, or is not yet valid. |
Inspect the certificate file using the |
|
The certificate contains incorrect content. |
Check the validity of the certificate, using |
|
The file inappropriately contains more than one key or certificate. |
Inspect the certificate, and recreate if necessary. |
|
Appears when a header other than |
Inspect the certificate, and verify its validity. Recreate the certificate if necessary |
Node Certificate Errors
The following error messages may be encountered when configuring and deploying the node certificate:
Couchbase Error Message | Description | Suggested User Action |
---|---|---|
|
The private key is not in the |
Ensure that the private key for the node certificate has been copied to the |
|
The private key is in the |
Ensure that the key is readable by user |
|
Denotes an invalid certificate in the chain file. |
The chain file should contain a sequence of PEM (base64) encoded X.509 certificates, starting from the node certificate, and including all intermediate certificates that exist, in the order of signing. |
|
The private key has an unsupported header. |
Make sure that a valid private key file has been created and copied to the inbox of the current node. |
|
The certificate does not recognize the message signed with a private key. |
Be sure that the mutually corresponding private key and chain file are being used. |
|
The private key inappropriately contains more than one entry. |
The private key file should contain only a single entry. |
|
The private key cannot be used, due to an inappropriate format. |
Inspect the private key, verify whether it is valid; and recreate if necessary. |
|
The file is missing, does not exist. |
Add the missing file. |
|
Current permissions do not permit the reading of the file or the searching of its parent directories. |
Change the permissions to permit reading and searching. |
|
The node certificate does not contain the required IP-address Subject Alternative Name. |
Recreate the node certificate, specifying the appropriate Subject Alternative Name. See Configure Server Certificates. |
|
The node certificate contains an incorrect IP-address Subject Alternative Name. |
Recreate the node certificate, specifying the the correct IP-address Subject Alternative Name. See Configure Server Certificates. |