[M220] Connection issue trying to connect with mongo shell: (SSL CERTIFICATE_VERIFY_FAILED)

I have done the first chapter of Mongodb for the python developer course. When I was trying to connect to the cluster with mongo shell I got the following error message:

2021-04-22T17: 41: 00.533-0300 I NETWORK [thread1] Starting new replica set monitor for atlas-12cwpw-shard-0 / mflix-shard-00-02.maiqr.mongodb.net.: 27017, mflix-shard -00-00.maiqr.mongodb.net.:27017,mflix-shard-00-01.maiqr.mongodb.net.:27017
2021-04-22T17: 41: 00.819-0300 E NETWORK [ReplicaSetMonitor-TaskExecutor-0] SSL peer certificate validation failed: unable to get local issuer certificate

I am using a Linux machine with Ubuntu 18.04.5 LTS and Python 3.6.2.

I tried with this but it did not work for me: https://stackoverflow.com/questions/40684543/how-to-make-python-use-ca-certificates-from-mac-os-truststore

Do you think that is the solution? Thanks in advance.

Hi @Matias_Zulberti

Thanks for opening this separate issue.
Can you confirm in testing that Stackoverflow solutions if you ran your virtual environment and installed the certifi package? If not, can you try this step.

pip install certifi

Let me know if installing the certifi package in your python virtual environment resolves this issue and if it fails, please include the error message to help determine what the next item may be also causing your issue.

Kindest regards,
Eoin

Hi @Eoin_Brazil

Thanks for your help.

I am trying to test two different approachs:

  1. Run the app’s test with pytest. In this case the error message is the following:

pymongo.errors.ServerSelectionTimeoutError: SSL handshake failed: mflix-shard-00-01.maiqr.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748),SSL handshake failed: mflix-shard-00-02.maiqr.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748),SSL handshake failed: mflix-shard-00-00.maiqr.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)

  1. Additionally I am trying to test the connection with mongo shell directilly:

This is the command I ran:

mongo "mongodb+srv://mflix.maiqr.mongodb.net/sample_mflix" --username m220student

and the following was the error I recieved:

connecting to: mongodb+srv://mflix.maiqr.mongodb.net/sample_mflix
2021-04-26T12:35:33.376-0300 I NETWORK [thread1] Starting new replica set monitor for atlas-12cwpw-shard-0/mflix-shard-00-02.maiqr.mongodb.net.:27017,mflix-shard-00-00.maiqr.mongodb.net.:27017,mflix-shard-00-01.maiqr.mongodb.net.:27017

Hi @Matias_Zulberti

It looks that your Mongo Shell connection appears to be working correctly unless there are more error messages beyond what you have shared.

In terms of your pytest issue, it is worth flagging that in versions of Python greater than 2.7.9, server certification verification was enabled by default which I think might be part of the cause of this error. Essentially, this means that OpenSSL no longer has access to root certificates stored on your machines and indeed some of the certificates may also be outdated or both.

Can you try installing this package on your Ubuntu system to update your OS certificates?

sudo apt install ca-certificates

Then can you retry the “pytest” command and update this thread to let us know if this helped resolve your issue.

Kindest regards,
Eoin

Hi @Eoin_Brazil

I tried to re-install ca-certificates, but I realized I have the latest version already installed:

ca-certificates is already the newest version (20210119~18.04.1).

When I ran the tests, I received the same error.

Hi @Matias_Zulberti

Thanks for trying that, can you try this as the next test:

Can you check that dnspython, pymongo and certifi are installed in your virtual environment or install them by:

pip install dnspython pymongo certifi

Can you use the terminal/command line and run Python, in the Python environment can you enter and = run the following commands (please change the password as appropriate for your user in your Atlas cluster):

from pymongo import MongoClient
import certifi
s = MongoClient("mongodb+srv://m220student:m220password@cluster0.maiqr.mongodb.net", tlsCAFile=certifi.where())

This is to set the CA File https://pymongo.readthedocs.io/en/stable/examples/tls.html#specifying-a-ca-file
and this flags how for Linux Operating Systems that the certificates may need to latest root certificate updates from the OS provider:
https://pymongo.readthedocs.io/en/stable/examples/tls.html#troubleshooting-tls-errors

Let me know if this allows you to connect to your Atlas cluster.

Kindest regards!
Eoin

Hello @Eoin_Brazil

I could run into the python environment the following command:

MongoClient("mongodb+srv://m220student:mypassword@mflix.maiqr.mongodb.net",ssl_ca_certs='/home/matias.zulberti/proyectos/mongo/mflix-python/new_env/lib/python3.9/site-packages/certifi/cacert.pem')

and this is the repsonse I got:

MongoClient(host=[‘mflix-shard-00-02.maiqr.mongodb.net:27017’, ‘mflix-shard-00-01.maiqr.mongodb.net:27017’, ‘mflix-shard-00-00.maiqr.mongodb.net:27017’], document_class=dict, tz_aware=False, connect=True, authsource=‘admin’, replicaset=‘atlas-12cwpw-shard-0’, ssl=True, ssl_ca_certs=’/home/matias.zulberti/proyectos/mongo/mflix-python/new_env/lib/python3.9/site-packages/certifi/cacert.pem’)

As you can see instead of use tlsCAFile I had to use ssl_ca_certs because tlsCAFile is not a valid option for pymongo-3.7.2 (this is the version we have in the requirements file)
If you see in pymongo/common.py LINE 520 you have a dict called URI_VALIDATORS that contains all of the valid options you can use.

I change the pymongo version from 3.7.2 to 3.11.2 and now I can run the command with tlsCAFile.

Now I having the following issue when I tried to run the tests:

def _resolve_uri(self, encapsulate_errors):
        try:
            results = resolver.query('_mongodb._tcp.' + self.__fqdn, 'SRV',
                                     lifetime=self.__connect_timeout)
        except Exception as exc:
            if not encapsulate_errors:
                # Raise the original error.
                raise
            # Else, raise all errors as ConfigurationError.
>           raise ConfigurationError(str(exc))
E           pymongo.errors.ConfigurationError: query() got an unexpected keyword argument 'lifetime'

I search for that argument in the query function declaration and I could not find it. I found the following accepted parameters:

def query(qname, rdtype=dns.rdatatype.A, rdclass=dns.rdataclass.IN,
          tcp=False, source=None, raise_on_no_answer=True,
          source_port=0):

I found that peace of code in pymongo/resolver.py (Line 1122)

2 Likes

Hi @Matias_Zulberti

Thanks for investigating that option, I think however it didn’t return the result I had hoped and I think progressing that further will not be productive. I think revisiting your local machine OS and its certificates to rule out those will be a better next step.

Can you run the following:

sudo update-ca-certificates

This should update your OS certificates which should resolve the underlying issue or at least remove the hypothesis that this is an OS certification-related issue.

Kindest regards,
Eoin

PyMongo requires dnspython>=1.16<2. Please install+upgrade pymongo with the srv extra like this:

python -m pip install --upgrade 'pymongo[srv]'

See: https://pymongo.readthedocs.io/en/stable/installation.html#dependencies

Hello @Shane and @Eoin_Brazil, thank you for your help. The solution was a mix of your recommendations. I had to use certifi.where() and also I had to install mongo['srv']. Previously I installed the requirements file we have in the project but I don’t know why into it we have dnspython==1.15.0 as a version of dnspython. Also I upgraded the version of pymongo to 3.7.2 and that version allowed me to use tlsCAFile as a parameter in the MongoClient initialization.

Guys thank you a lot, I appreciate your help!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.