Error connecting to atlas ssl - TLS handshake failed: Failed certificate verification calling hello

Hello world! I’m getting kinda desperate here as I have tried a lot of things and none of it works.

Since the upgrade to php 8 and upgrading php mongo lib to 1.19.1 from 1.4.2 I’m unable to connect to Atlas when ssl is enabled and when options:

tlsAllowInvalidCertificates
tlsAllowInvalidHostnames

are disabled. When they are enable I can connect to atlas and everything works. In the Atlas logs it seem that it receives an connection and then client immediately disconnects.

The error I constantly get is:

No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: Failed certificate verification calling hello on 'xxx.mongodb.net:27017'] [TLS handshake failed: Failed certificate verification calling hello on 'xxx.mongodb.net:27017'] [TLS handshake failed: Failed certificate verification calling hello on 'xxx.mongodb.net:27017']

I"m using docker alpine3.19 and php 8.3.7 ran on AWS linux2.

I have tried everything that came to my mind (and that has any reference on google) from checking if ssl is installed properly, downloading certificates and putting them to the ssl configs and providing cert file. My network config in the Atlas UI allows connecting from my IP ranges, downgrading PHP lib version, changing connection strings and trying out different options but none of it works.
My config on atlas does not require ca files and it used to work like that up until the big upgrade.

Does someone have any idea what can cause this error and possibly how to solve it?

This seems to be a case of SSL certificates not accessible / incorrect.
It maybe the case that your PHP environment doesn’t have the correct location for certificates. Could you run below command from your PHP environment and cross check the certificates location?

Ok I got it, i had to specify ca file path for the connection string, now when I have done that i get the similar error just a little bit less expressive:

failed certificate just became connection error

No suitable servers found (serverSelectionTryOnce set): [connection error calling hello on 'xxx.yyy.mongodb.net:27017'] [connection error calling hello on 'xxx.yyy.mongodb.net:27017'] [connection error calling hello on 'xxx.yyy.mongodb.net:27017']

At least we know it resolves the names in the cluster and certificate must be fine now but I’m not really sure how to debug this connection error string

array(8) {
  ["default_cert_file"]=>
  string(17) "/etc/ssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(14) "/etc/ssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(16) "/etc/ssl/private"
  ["default_default_cert_area"]=>
  string(8) "/etc/ssl"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}
php -i | grep openssl
Configure Command =>  './configure'  '--build=x86_64-linux-musl' '--with-config-file-path=/usr/local/etc/php' '--with-config-file-scan-dir=/usr/local/etc/php/conf.d' '--enable-option-checking=fatal' '--with-mhash' '--with-pic' '--enable-mbstring' '--enable-mysqlnd' '--with-password-argon2' '--with-sodium=shared' '--with-pdo-sqlite=/usr' '--with-sqlite3=/usr' '--with-curl' '--with-iconv=/usr' '--with-openssl' '--with-readline' '--with-zlib' '--disable-phpdbg' '--with-pear' '--disable-cgi' '--enable-fpm' '--with-fpm-user=www-data' '--with-fpm-group=www-data' 'build_alias=x86_64-linux-musl'
openssl
Openssl default config => /etc/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value

And when running this command:

openssl s_client -showcerts -connect  xxx.xxx.mongodb.net:27017 < /dev/null

There are no ssl errors which indicates that the problem might be somewhere in the PHP driver.

When running very minimal PHP script to reproduce it i get the ssl error every time but when doing the same with very minimal Node.js app it goes perfectly. So there must be something about php lib

Can you please check if you are able to connect to the cluster via mongosh from the docker instance?

Actuality I managed to solve it.

The issue was in the libressl that my docker build was using, I replaced it with the openSSL and all of the sudden it started working like a charm. I guess mongo driver for php had some issues with compiling ssl layer or something related libressl.

Thank you for your help.

Glad to hear @Lovro_Toplomyer
Do you remember the version of Libressl that was present?