AWS DocumentDB TLS in .net environment

We are currently using 2.23.1 mongodb .net driver with an AWS documentdb.
We are running the .net application in a linux environment and we are receiving timeout trying to connect to the database using TLS only.

Here is the error :

—> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain

System.TimeoutException: A timeout occurred after 30000ms selecting a server using CompositeServerSelector{ Selectors = ReadPreferenceServerSelector{ ReadPreference = { Mode : SecondaryPreferred } }, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 }, OperationsCountServerSelector }. Client view of cluster state is { ClusterId : “1”, ConnectionMode : “ReplicaSet”, Type : “ReplicaSet”, State : “Disconnected”, Servers : [{ ServerId: “{ ClusterId : 1, EndPoint : “Unspecified/OMITTED:27017” }”, EndPoint: “Unspecified/OMITTED:27017”, ReasonChanged: “Heartbeat”, State: “Disconnected”, ServerVersion: , TopologyVersion: , Type: “Unknown”, HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.

We are adding the “global-bundle.pem” from AWS into store using this

private static void AddCaToTrustStore()
{
const string pathToCaFile = “/usr/local/share/ca-certificates/global-bundle.pem”;

    var localTrustStore = new X509Store(StoreName.Root);

    var certificateCollection = new X509Certificate2Collection();
    certificateCollection.Import(pathToCaFile);
    try
    {
        localTrustStore.Open(OpenFlags.ReadWrite);
        localTrustStore.AddRange(certificateCollection);
    }
    catch (Exception ex)
    {
        Console.WriteLine("Root certificate import failed: " + ex.Message);
        throw;
    }
    finally
    {
        localTrustStore.Close();
    }
}

And here is the mongo setting part

var settings = MongoClientSettings.FromConnectionString(connectionString);

    settings.RetryWrites = false;

    if (settings.UseTls)
    {
        AddCaToTrustStore();
        settings.SslSettings = new SslSettings {
            ClientCertificates = new List<X509Certificate> {
                new X509Certificate2("/usr/local/share/ca-certificates/global-bundle.pem")
            },
            CheckCertificateRevocation = false
        };
    }

In the connection string, we specify ?tls=true and attempt to add the tlsCAFile parameter without success, as it appears the .NET driver does not support this parameter.

Did someone run into this issue and find a solution?

Thank you!

Hi, @pierre-luc_des,

Microsoft introduced support for PEM files in .NET 5. The .NET/C# Driver currently supports .NET Standard 2.1 (used by .NET Core 3.X), .NET 6, and .NET Framework 4.7.2+. We could support it in our .NET 6 target, but have not done this work yet. You can follow and vote on CSHARP-4336.

Even with support for PEM files, Microsoft’s SslStream class does not support user-supplied CAs. It is for this reason that the .NET/C# Driver ignores tlsCAFile. You can supply a client x.509 certificate but you cannot supply an alternate CA cert. You have to install the CA as a trusted root CA for your operating system.

MongoDB Atlas uses x.509 certificates issued by Let’s Encrypt and Google Trust Services and most application environments already trust these CAs. AWS DocumentDB is not a MongoDB-supported product and you will have to contact Amazon Support for recommendations on how to install the needed CA into your trust store.

Sincerely,
James