CSFLE issues in enterprise version (PHP)

Hey everyone,

I have some problems with CSFLE Automatic Encryption and Decryption (I was using this php code as a reference - Client-Side Encryption — PHP Library Manual 1.10-dev and some test were did with it). Anyway, the problem is that I’m getting:

MongoDB\Driver\Exception\BulkWriteException : Bulk write failed due to previous MongoDB\Driver\Exception\RuntimeException: key vault error: Invalid reply to find command.:

system architecture:
- php node
- mongo node

In a PHP (version 7.4) node was installed mongocryptd , and wasn’t changed related to configuration or code. Installation in dockerfile was done like this:

RUN wget -qO - mongodb.org/static/pgp/server-4.2.asc | apt-key add -

RUN echo "deb http://repo.mongodb.com/apt/debian stretch/mongodb-enterprise/4.2 main" | tee /etc/apt/sources.list.d/mongodb-enterprise.list

RUN apt-get update

RUN apt-get install --no-install-recommends -y mongodb-enterprise-cryptd

I have test two different ways:

  1. Official mongo image - Docker Hub (as I understand it is not enterprise version)

docker-compose.yaml:

version: '3'
services:

  #PHP Service
  php:
    image: local-base-php
    container_name: app
    restart: unless-stopped
    tty: true
    ports:
      - "27017:27017"
    environment:
      SERVICE_NAME: app
      SERVICE_TAGS: dev
    working_dir: /var/www
    volumes:
      - ./:/var/www/projects
      - ./php/local.ini:/usr/local/etc/php/conf.d/local.ini

  #MongoDB Service
  mongodb:
    image: mongo:4.2
    container_name: mongodb
    restart: unless-stopped
    tty: true
    environment:
      MONGO_INITDB_DATABASE: xxx
      MONGO_INITDB_USERNAME: xxx
      MONGO_INITDB_PASSWORD: xxx
    network_mode: service:php

The script (https:// docs.mongodb .com/php-library/current/tutorial/client-side-encryption) which I mentioned before worked perfectly. It encrypts and decrypts, no issues.

  1. Mongo enterprise version installation - https:// docs.mongodb. com/manual/tutorial/install-mongodb-enterprise-with-docker/#download-the-docker-build-files-for-mongodb-enterprise

docker-compose.yaml:

version: '3'
services:

  #PHP Service
  php:
    image: local-base-php
    container_name: app
    restart: unless-stopped
    tty: true
    ports:
      - "27017:27017"
    environment:
      SERVICE_NAME: app
      SERVICE_TAGS: dev
    working_dir: /var/www
    volumes:
      - ./:/var/www/projects
      - ./php/local.ini:/usr/local/etc/php/conf.d/local.ini

  #MongoDB Service
  mongodb:
    image: local-mongo-db
    container_name: mongodb
    restart: unless-stopped
    tty: true
    environment:
      MONGO_INITDB_DATABASE: xxx
      MONGO_INITDB_USERNAME: xxx
      MONGO_INITDB_PASSWORD: xxx
    network_mode: service:php

When I run script, it starts throwing: MongoDB\Driver\Exception\BulkWriteException : Bulk write failed due to previous MongoDB\Driver\Exception\RuntimeException: key vault error: Invalid reply to find command.:

Tried to trace a place where it brakes, but unsuccessfully:

string(125) "Bulk write failed due to previous MongoDB\Driver\Exception\RuntimeException: key vault error: Invalid reply to find command.:"
string(98) "/var/www/xxx/releases/0.2.8/vendor/mongodb/mongodb/src/Operation/InsertOne.php"
int(134)
string(489) "#0 /var/www/xxx/releases/0.2.8/vendor/mongodb/mongodb/src/Operation/InsertOne.php(134): MongoDB\Driver\Server->executeBulkWrite('xxx', Object(MongoDB\Driver\BulkWrite), Array)
#1 /var/www/xxx/releases/0.2.8/vendor/mongodb/mongodb/src/Collection.php(931): MongoDB\Operation\InsertOne->execute(Object(MongoDB\Driver\Server))
#2 /var/www/xxx/releases/0.2.8/test.php(90): MongoDB\Collection->insertOne(Array)
#3 {main}"

From mongocryptd logfile I don’t get much information too:

xxx@xxx:~# cat /var/log/mongocryptd/mongocryptd.log
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] MongoCryptD starting : pid=7499 port=27020 socketFile=/tmp/mongocryptd.sock 64-bit host=xxx
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] db version v4.2.15
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] git version: d7fd78dead621a539c20791a93abec34bb1be385
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.1.1i 8 Dec 2020
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] allocator: tcmalloc
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] modules: enterprise
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] build environment:
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten]   distmod: debian92
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten]   distarch: x86_64
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten]   target_arch: x86_64
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] options: { processManagement: { pidFilePath: "/var/www/xxx/current/mongocryptd.pid" }, systemLog: { destination: "file", path: "/var/log/mongocryptd/mongocryptd.log" } } // p.s. /current folder is a symlink to /release folder
2021-09-08T13:45:57.682+0000 I CONTROL [initandlisten] Using lock file: /var/www/xxx/current/mongocryptd.pid
2021-09-08T13:45:57.685+0000 I NETWORK [listener] Listening on /tmp/mongocryptd.sock
2021-09-08T13:45:57.685+0000 I NETWORK [listener] Listening on 127.0.0.1
2021-09-08T13:45:57.685+0000 I NETWORK [listener] waiting for connections on port 27020
2021-09-08T13:46:41.809+0000 I NETWORK [listener] connection accepted from 127.0.0.1:26698 #1 (1 connection now open)
2021-09-08T13:46:41.813+0000 I NETWORK [conn1] end connection 127.0.0.1:26698 (0 connections now open)
2021-09-08T14:18:25.994+0000 I NETWORK [listener] connection accepted from 127.0.0.1:41822 #2 (1 connection now open)
2021-09-08T14:18:25.998+0000 I NETWORK [conn2] end connection 127.0.0.1:41822 (0 connections now open)
2021-09-08T14:27:32.623+0000 I NETWORK [listener] connection accepted from 127.0.0.1:46194 #3 (1 connection now open)
2021-09-08T16:27:32.734+0000 I NETWORK [conn3] end connection 127.0.0.1:46194 (0 connections now open)
2021-09-09T05:42:29.282+0000 I NETWORK [listener] connection accepted from 127.0.0.1:37876 #4 (1 connection now open)
2021-09-09T05:42:29.286+0000 I NETWORK [conn4] end connection 127.0.0.1:37876 (0 connections now open)
2021-09-09T08:03:31.271+0000 I NETWORK [listener] connection accepted from 127.0.0.1:41604 #5 (1 connection now open)
2021-09-09T08:04:07.514+0000 I NETWORK [conn5] end connection 127.0.0.1:41604 (0 connections now open)
2021-09-09T08:04:07.515+0000 I NETWORK [listener] connection accepted from 127.0.0.1:41900 #6 (1 connection now open)
2021-09-09T08:10:43.841+0000 I NETWORK [conn6] end connection 127.0.0.1:41900 (0 connections now open)
2021-09-09T08:10:43.841+0000 I NETWORK [listener] connection accepted from 127.0.0.1:45056 #7 (1 connection now open)
2021-09-09T08:11:09.059+0000 I NETWORK [conn7] end connection 127.0.0.1:45056 (0 connections now open)
2021-09-09T08:11:09.060+0000 I NETWORK [listener] connection accepted from 127.0.0.1:45262 #8 (1 connection now open)
2021-09-09T08:11:51.148+0000 I NETWORK [conn8] end connection 127.0.0.1:45262 (0 connections now open)
2021-09-09T08:11:51.148+0000 I NETWORK [listener] connection accepted from 127.0.0.1:45600 #9 (1 connection now open)
2021-09-09T08:12:05.937+0000 I NETWORK [conn9] end connection 127.0.0.1:45600 (0 connections now open)
2021-09-09T08:12:05.937+0000 I NETWORK [listener] connection accepted from 127.0.0.1:45720 #10 (1 connection now open)
2021-09-09T08:12:33.970+0000 I NETWORK [conn10] end connection 127.0.0.1:45720 (0 connections now open)
2021-09-09T08:12:33.970+0000 I NETWORK [listener] connection accepted from 127.0.0.1:45942 #11 (1 connection now open)
2021-09-09T08:13:13.906+0000 I NETWORK [conn11] end connection 127.0.0.1:45942 (0 connections now open)
2021-09-09T08:13:13.906+0000 I NETWORK [listener] connection accepted from 127.0.0.1:46258 #12 (1 connection now open)
2021-09-09T08:14:13.173+0000 I NETWORK [conn12] end connection 127.0.0.1:46258 (0 connections now open)
2021-09-09T08:14:13.173+0000 I NETWORK [listener] connection accepted from 127.0.0.1:46736 #13 (1 connection now open)
2021-09-09T10:39:23.584+0000 I NETWORK [listener] connection accepted from 127.0.0.1:52440 #14 (2 connections now open)
2021-09-09T10:39:23.589+0000 I NETWORK [conn14] end connection 127.0.0.1:52440 (1 connection now open)

So for now it seems that with the free version everything works well, but with the enterprise not.
Maybe I should enable something on the enterprise version, some kind of flag or so?
Basically, I do not know what to do. Maybe someone can help me with CSFLE in enterprise version?