This script will set up ssl for couchdb on a raspberry pi, debian or ubuntu system.
I added a password generator plugged into openssl so you can just copy and paste that into the server key password prompt unless you either dont trust openssl (which would defeat the purpose of using SSL) or can come up with a better password than a SHA-512 bit hash.
#!/bin/bash
# this creates a self signed certificate for couchdb
function SetUpCouchDBSSL
{
mkdir -p /etc/couchdb/ssl \
&& cd /etc/couchdb/ssl \
&& suggestion=`openssl rand -base64 4096 | openssl dgst -sha512 | sed "s/(stdin)= //g"` \
&& echo "Here is a secure password you can use - ${suggestion}" \
&& suggestion="" \
&& openssl genrsa -des3 -out server.key 2048 \
&& openssl rsa -in server.key -out server.key \
&& openssl req -new -key server.key -out server.csr \
&& openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt \
&& echo '
-----------------------------------------------------------
Copy this snippet to add it to /etc/couchdb/default.ini
this will tell couchdb where to look in order to use ssl
-----------------------------------------------------------
[ssl]
cert_file = /etc/couchdb/ssl/server.crt
key_file = /etc/couchdb/ssl/server.key
port = 6984
-----------------------------------------------------------
Press [enter] once you have it coppied.
' \
&& read enterkey \
&& nano +$(cat -n /etc/couchdb/default.ini | grep -e "\[ssl\]" | sed -e 's/\s\+/\n/g' | grep . | grep -v ssl) /etc/couchdb/default.ini \
&& echo 'The system will need to reboot in order to finish.'
}
if [[ $EUID -ne 0 ]]
then
echo "This script must be run as root" 1>&2
exit 1
else
SetUpCouchDBSSL && echo 'done'
fi