Got warning (possible timing out) on OCSP SSL verification after upgrading Mongo (2.13 to 2.17)

Working with Data Drivers & ODMs
,
#1

Hello, I wonder if someone can shed me light on this issue; after getting Ruby Gem dependencies for MongoDB 2.13.1 to 2.17.0, I am starting seeing the error as shown below:

MONGODB | TLS certificate of ‘{server_name}’ could not be definitively verified via OCSP: For responders {cert_issuer_url} with a timeout of 5 seconds: OCSP response from {cert_issuer_url} is 6: unauthorized

Below is the configuration used which had never logged any warning prior to upgrade:

...
production:
  clients:
    default:
      uri: <%= ENV['MONGODB_URL'] %>
      options:
        ssl: true
        ssl_verify: true
        max_pool_size: <%= ENV['MONGODB_MAX_POOL_SIZE'].to_i %>

Based on this changeset here, apparently the new class: ocsp_verifier.rb was started to be introduced in the version release of: 2.14. Hence I never seen this log in our system log.

So, my question now, does this mean this issue could have been happening but never got logged prior to version 2.14? I have started my conversation to the certificate issuer to see if there’s anyway to verify with retry; in this case is there option I can use for retrying? For options, I use mongoid’s : ssl=true and ssl_verify=true; I wonder if I can utilize any of options to retry. Anyway, I am looking forward to any suggestions and any help would be appreciated.
Cheers!

#2

Hi @Tanda_Sirait ,

The Ruby driver as of version 2.14 is performing OCSP verification on server certificates. This is described in Creating a Client — MongoDB Ruby Driver Manual upcoming.

The endpoint provided by the certificate of your server appears to require authentication. The Ruby driver does not support currently providing credentials as part of OCSP verification process.

You could do one of the following to move forward:

  1. Ask the certificate issuer whether they support OCSP verification of their certificates. If they do, whether such verification requires authentication.
  2. If OCSP verification is not supposed to be supported by your certificate issuer, they should remove the relevant fields from the certificates.
  3. If OCSP verification is supposed to be supported without authentication, your certificate issuer should provide you a new certificate with the appropriate endpoint or adjust their existing service implementing the existing endpoint.

You can disable OCSP verification following the instructions in Creating a Client — MongoDB Ruby Driver Manual upcoming.

There isn’t actually a timeout happening - the message states that the operation is subject to the 5 second timeout but the result of it is verification failure due to authentication requirement on the server side and not a timeout. Retrying the operation in this case will not be helpful as far as I can tell because the second attempt will also fail with the authentication issue.

Driver versions prior to 2.14 have not performed OCSP verification.

#3

Hi @Oleg_Pudeyev Thank you for the response. I had conversation with OCSP about any possible timeout from their end that may impact this call.

On the other hand, we had to downgrade our configuration since the newer version will require some changes that we cannot commit at this moment. Anyway, I will make note for all those steps you mentioned as part of considered actions.