We are currently using 2.23.1 mongodb .net driver with an AWS documentdb.
We are running the .net application in a linux environment and we are receiving timeout trying to connect to the database using TLS only.
Here is the error :
—> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
System.TimeoutException: A timeout occurred after 30000ms selecting a server using CompositeServerSelector{ Selectors = ReadPreferenceServerSelector{ ReadPreference = { Mode : SecondaryPreferred } }, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 }, OperationsCountServerSelector }. Client view of cluster state is { ClusterId : “1”, ConnectionMode : “ReplicaSet”, Type : “ReplicaSet”, State : “Disconnected”, Servers : [{ ServerId: “{ ClusterId : 1, EndPoint : “Unspecified/OMITTED:27017” }”, EndPoint: “Unspecified/OMITTED:27017”, ReasonChanged: “Heartbeat”, State: “Disconnected”, ServerVersion: , TopologyVersion: , Type: “Unknown”, HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
We are adding the “global-bundle.pem” from AWS into store using this
private static void AddCaToTrustStore()
{
const string pathToCaFile = “/usr/local/share/ca-certificates/global-bundle.pem”;var localTrustStore = new X509Store(StoreName.Root); var certificateCollection = new X509Certificate2Collection(); certificateCollection.Import(pathToCaFile); try { localTrustStore.Open(OpenFlags.ReadWrite); localTrustStore.AddRange(certificateCollection); } catch (Exception ex) { Console.WriteLine("Root certificate import failed: " + ex.Message); throw; } finally { localTrustStore.Close(); } }
And here is the mongo setting part
var settings = MongoClientSettings.FromConnectionString(connectionString);
settings.RetryWrites = false; if (settings.UseTls) { AddCaToTrustStore(); settings.SslSettings = new SslSettings { ClientCertificates = new List<X509Certificate> { new X509Certificate2("/usr/local/share/ca-certificates/global-bundle.pem") }, CheckCertificateRevocation = false }; }
In the connection string, we specify ?tls=true and attempt to add the tlsCAFile parameter without success, as it appears the .NET driver does not support this parameter.
Did someone run into this issue and find a solution?
Thank you!