Compass connection error with self-signed cert

I have setup mongod to require TLS and I am using self-signed certificates. I can connect to the server with mongo shell, but Compass connection fails with the very same certificates, unless I set tlsAllowInvalidCertificates in Compass under Advanced Connection Options / TLS/SSL.

The Compass error message is “certificate signature failure”. Mongod logs have “stream truncated” errors (see below).

This seems a Compass bug to me since the very same certificates work with mongo shell. Mongo shell does not require setting --tlsAllowInvalidCertificates.

Client

  • Win11 amd64
  • Compass 1.32.5
  • mongo shell v4.4.15 in WSL2 / Ubuntu 22.04.1
% mongo --version
MongoDB shell version v4.4.15
Build Info: {
    "version": "4.4.15",
    "gitVersion": "bc17cf2c788c5dda2801a090ea79da5ff7d5fac9",
    "openSSLVersion": "OpenSSL 1.1.1f  31 Mar 2020",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "ubuntu2004",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

Server

  • Linux / Ubuntu 22.04.1 LTS amd64
  • Mongod v4.4.15

/etc/mongod.conf

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true
  wiredTiger:
    engineConfig:
      cacheSizeGB: 2

# where to write logging data.
systemLog:
  destination: file
  logRotate: rename
  logAppend: false
  path: /var/log/mongodb/mongod.log
  verbosity: 2  # set for debugging
  quiet: true
# network interfaces
net:
  port: 27017
  bindIp: localhost,hostname.domain
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongod.pem
    disabledProtocols: TLS1_0,TLS1_1
    CAFile: /etc/ssl/certs/CA.pem

# how the process runs
processManagement:
  timeZoneInfo: /usr/share/zoneinfo

security:
  authorization: enabled

setParameter:
  honorSystemUmask: true
  disableJavaScriptJIT: false

/var/log/mongodb/mongod.log

{"t":{"$date":"2022-08-01T19:45:31.320+03:00"},"s":"D2", "c":"NETWORK",  "id":22986,   "ctx":"conn4","msg":"Session from remote encountered a network error during SourceMessage","attr":{"remote":"192.168.3.11:61260","error":{"code":9001,"codeName":"SocketException","errmsg":"stream truncated"}}}
{"t":{"$date":"2022-08-01T19:45:31.849+03:00"},"s":"D2", "c":"NETWORK",  "id":22986,   "ctx":"conn5","msg":"Session from remote encountered a network error during SourceMessage","attr":{"remote":"192.168.3.11:61261","error":{"code":9001,"codeName":"SocketException","errmsg":"stream truncated"}}}
{"t":{"$date":"2022-08-01T19:45:32.383+03:00"},"s":"D2", "c":"NETWORK",  "id":22986,   "ctx":"conn6","msg":"Session from remote encountered a network error during SourceMessage","attr":{"remote":"192.168.3.11:61262","error":{"code":9001,"codeName":"SocketException","errmsg":"stream truncated"}}}
{"t":{"$date":"2022-08-01T19:45:32.923+03:00"},"s":"D2", "c":"NETWORK",  "id":22986,   "ctx":"conn7","msg":"Session from remote encountered a network error during SourceMessage","attr":{"remote":"192.168.3.11:61264","error":{"code":9001,"codeName":"SocketException","errmsg":"stream truncated"}}}
{"t":{"$date":"2022-08-01T19:45:33.458+03:00"},"s":"D2", "c":"NETWORK",  "id":22986,   "ctx":"conn8","msg":"Session from remote encountered a network error during SourceMessage","attr":{"remote":"192.168.3.11:61265","error":{"code":9001,"codeName":"SocketException","errmsg":"stream truncated"}}}