4.6. TLS Erlang Distribution

The main purpose is specifically to allow using TLS for Erlang distribution between nodes, with the ability to connect to some nodes using TCP as well. TLS distribution will enhance data security during data migration between nodes.

This section describes how to enable TLS distribution for additional verification and security.

Reference: Using TLS for Erlang Distribution

4.6.1. Generate Certificate

For TLS to work properly, at least one public key and one certificate must be specified. In the following example (couch_ssl_dist.conf), the PEM file contains the certificate and its private key.

  [{certfile, "</path/to/erlserver.pem>"},
   {secure_renegotiate, true}]},
  [{secure_renegotiate, true}]}].

The following command is an example of generating a certificate (PEM) file.

$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
$ cat key.pem cert.pem > erlserver.pem && rm key.pem cert.pem


This is not an endorsement of a specific expiration limit, key size or algorithm.

4.6.2. Config Settings

To enable TLS distribution, make sure to set custom parameters in vm.args.

# Don't forget to override the paths to point to your cert and conf file!

-proto_dist couch
-couch_dist no_tls \"clouseau@\"
-ssl_dist_optfile <path/to/couch_ssl_dist.conf>


  • The default value of no_tls is false. If the user does not set any no_tls flag, all nodes will use TCP.
  • To ensure “search” works, make sure to set no_tls option for the clouseau node. By default, this will be "clouseau@".

The no_tls flag can have these values:

  1. Use TLS only, set to false (default value), such as:

    -couch_dist no_tls false
  2. Use TCP only, set to true, such as:

    -couch_dist no_tls true
  3. Specify some nodes to use TCP, others to use TLS, such as:

    # Specify node1 and node2 to use TCP, others use TLS
    -couch_dist no_tls \"node1@\"
    -couch_dist no_tls \"node2@\"
    # Any nodes end with "@" will use TCP, others use TLS
    -couch_dist no_tls \"*@\"


    Asterisk(*): matches a sequence of zero or more occurrences of the regular expression.

    Question mark(?): matches zero or one occurrences of the regular expression.

4.6.3. Connect to Remsh

Start Erlang using a remote shell connected to Node.

  • If the node uses TCP:

    $ ./remsh
  • If the node uses TLS:

    $ ./remsh -t <path/to/couch_ssl_dist.conf>