KAFKACONNETOR: Could not use TLS MONGODB connection.uri

A kafkaconnect MONGDB with TLS and TLS auth has been successfully deployed and then a source type kafkaconnector in a kubernetes environment.

kubectl get kc
NAME                        DESIRED REPLICAS   READY
mongodb-connect-community   1                  True

kubectl get kctr
NAME                     CLUSTER                     CONNECTOR CLASS                                  MAX TASKS   READY
mongodb-source-unix      mongodb-connect-community   com.mongodb.kafka.connect.MongoSourceConnector   1           True

MONGODB collections have been synchronized to a topic in KAFKA.

Once this is achieved, I want to configure the TLS access to the mongodb database.

The connection uri field without TLS is this and it works.

connection.uri: mongodb://user:xxxx@mongorep-0.mongorep.enterprise-canary.svc.cluster.local/?replicaSet=mongorep

Tested with TLS but not working

connection.uri: mongodb://user:xxxx@mongorep-0.mongorep.enterprise-canary.svc.cluster.local/?replicaSet=mongorep&tls=true&tlsCAFile=/home/kafka/ca.crt

The following error appears in the logs:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
        ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

Has anyone tried to configure TLS access to the MONGODB DB?

Hi Alberto,
I’m trying to do the same thing connecting with mongoTSL and I’ve had this problem too.
I have a docker with kafka and connect and in both I copied the client and server with CA certificates to these folders in my Dockerfile which solved this problem.

COPY certificates/* /etc/alternatives/jre/lib/security
COPY certificates/* /etc/ssl/certs
COPY certificates/* /etc/pki/ca-trust/source/anchors/
COPY certificates/* /etc/pki/ca-trust/extracted/java/
COPY certificates/* /etc/pki/java
COPY certificates/* /usr/lib/jvm/zulu11-ca/lib/security/

and then imported by keytool
RUN cd /etc/pki/java && keytool -import -alias mongodb-client -keystore /etc/pki/java/cacerts -file mongodb-client.pem -noprompt -keypass changeit -storepass changeit
RUN cd /etc/pki/java && keytool -import -trustcacerts -file mongodb-ca.pem -noprompt -keypass changeit -storepass changeit

But I also can’t connect with TSL because the connection.uri doesn’t accept the tlscertificatekeyfile parameter, even open a question at Kafka Connector with MongoDB TSL

Regards.