Skip to content

LiteServ With SSL

Jump to bottom
snej edited this page Dec 10, 2014 · 3 revisions

It's now possible to run LiteServ as an SSL server. You can either use an official SSL cert from a certificate authority, or (in Couchbase Lite 1.04+) just tell LiteServ to make up a self-signed cert on its own.

Using An Official Certificate

(If you just want to have LiteServ make a self-signed certificate, skip down to the Run LiteServ section.)

Get The Certificate

The details of this depend on the certificate authority you use. Follow their directions to apply for and download your certificate. (For example, you might use Comodo.)

It's also possible to use the Keychain Access app to generate your own self-signed certificate without a CA.

Import The Certificate

The cert is probably in the form of an encrypted ".p12" file.

  1. Double-click the ".p12" file, or otherwise open it with the Keychain Access app.
  2. Enter the file's passphrase to let Keychain Access open it.
  3. Agree to import the cert.

Name The Certificate In The Keychain

You'll need to assign the cert a name, to identify it to LiteServ.

  1. Back in Keychain Access, select "My Certificates" from the "Category" list in the left column. (If the left column isn't showing, press the button at the lower left of the window to show it.)
  2. Select the certificate with the name you just entered. It'll have a gold-bordered icon.
  3. Right-click it and choose "New Identity Preference..." from the context menu.
  4. Enter the same name as the cert's name.

Run LiteServ

To run with an official certificate, add the command-line arguments --sslid and the identity pref name, e.g.:

./LiteServ --sslid jens.local

(In version 1.0.3 or earlier, the flag is named --ssl.)

To run with an automatically generated anonymous self-signed certificate, just add the argument --ssl:

./LiteServ --ssl

Connecting Over SSL

Just use the same URL but change the protocol to "https", e.g. https://jens.local:59840/.

Disabling Verification For Self-Signed Certificates

An SSL client will normally refuse to accept a self-signed certificate, because it can't verify its identity. The easiest way around this is to disable cert verification. This does negates some of the benefits of SSL -- you still have encryption, but lose the assurance that the client is connecting to the server it intended to.

How you disable verification depends on the API or tool you're using. For example, with curl you use the --insecure flag:

curl --insecure https://jens.local:59840/
Clone this wiki locally