MongoDB-Charts Stitch SSL Cert Issues

I’ve been having a difficult time getting On-premise Charts working with SSL connection to a local MongoDB installation (not in Docker container). Every time I run it stitch fails. I initially had a self-signed cert and stitch complained about that. Then I decided to use a Let’s Encrypt issued cert, but now stitch says:

Addr: 172.17.0.1:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: x509: cannot validate certificate for 172.17.0.1 because it doesn’t contain any IP SANs

I don’t believe Let’s Encrypt does IP SAN, so self-signed would seem to be the way to go. I’ve followed all the steps many times and the only way I can get fully operational is to remove the SSL requirement from MongoDB.

What would be the best route as far as certs to make an On-premise Charts work? Any help would be appreciated. Thank you.

James

Hi @James_C

This configuration is supported. Did you see the docs at Configure TLS/SSL for Metadata Clusters — MongoDB Charts? What errors / behaviour are you seeing with your self-signed cert?

Tom

Hello Tom! Thanks for the reply. Sorry for the late reply I was trying to run thru things again to see if I can fix before replying, but no joy.

I have read most of the installation documentation a few times. I’ll admit I mostly get confused on the SSL part. It seems there might be a combination of connection-uri and cert file confusion on my part. Below are the various connection-uri I have tried (all get verified), and the stitch-startup.log output:

connection-uri:

docker run --rm quay.io/mongodb/charts:19.12.2 charts-cli test-connection 'mongodb://admin:password@172.17.0.1?ssl=true'

stitch ouput:

2021-02-22T00:48:33.633Z        ERROR   main_server     server/main.go:88       error starting up servers: error parsing uri

I think I figured the above issue, it seems stitch wants a ‘/’ after the host.

connection-uri:

docker run --rm quay.io/mongodb/charts:19.12.2 charts-cli test-connection 'mongodb://admin:password@172.17.0.1/?ssl=true'

stitch ouput:

Addr: 172.17.0.1:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: x509: cannot validate certificate for 172.17.0.1 because it doesn't contain any IP SANs

I will try some more testing and read the docs again in the morning. Thanks.

OK. I’m not an expert in this area but I have made it work before. You may want to use a hostname instead of an IP (matching the value in the certificate) and use the Docker extra_hosts section if you need to force the name resolution.

Tom

Hi Tom! I finally got it! I feel a little foolish after figuring out the issue. I took your advice and used hostname instead as well as extra_hosts and it works. I feel a little foolish because doing that seems normal, but I got confused during the install when I read:

Charts interprets localhost as the Docker container Charts is running in. If the database is running on the same host as the Charts Docker container but not in Docker, it will not be reachable via mongodb://localhost. Instead, use one of the following URIs depending on your Docker version when creating the Docker secret in the command below:

Linux	IP address of the docker0 interface. 172.17.0.1 by default.

“If the database is running on the same host as the Charts Docker container but not in Docker…”, I guess I read this the wrong way but I thought it meant if I have a database on a host (ubuntu server) and Charts Container on the same host(ubuntu server) that I would need to use the 172 address with the connection string and not the actual MongoDB deployment IP (or hostname). So now I use:

docker run --rm Quay charts-cli test-connection ‘mongodb://admin:password@db.mydomain.com/?ssl=true’

And everything works great. Sorry I wasted your time, but the wording really confused me. Thanks for all the help.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.