2023/06/06 17:16:28 No .env file found
2023/06/06 17:16:58 server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: someserver.somedomain:27017, Type: Unknown, Last error: x509: certificate relies on legacy Common Name field, use SANs instead }, ] }
I know it’s loading my local copy of the self-signed cert because if I munge the path, my application does a panic: … no such file or directory.
The URI I am using works with mongosh and compass except that for mongosh and compass I urlencode the leading-slashes in the certificate path as %2F’s.
Any tips, please? Obviously it’s being fussy about the Common Name field, but is there a switch to make it happy, or is this the new strict?
@Jack_Woehr that’s an interesting error. That error seems to be returned by the crypto/x509 package starting with Go 1.15. The error could be disabled with the environment variable GODEBUG=x509ignoreCN=0 until the override was removed with Go 1.17. I’m not aware of any recent intentional change in the Go driver that would surface that error.
I have some questions that could help get to the bottom of the error:
Is there a previous version of the Go driver where that error doesn’t happen? If so, what version?
What Go version are you using?
Did you change your Go version recently? If so, what was the previous Go version?
In the past I have used Go for MongoDB very infrequently.
In fact, the last time I tried Go with MongoDB, the development MongoDB database was not configured for TLS.
Since that last time, I have configured our development database for TLS and we have been happily accessing it that way, CN and all, via mongosh, compass, and via the PHP Driver, PHP being the language which I am using most for MongoDB development.
So I am afraid I cannot provide helpful details. I asked the question assuming I had omitted some variable or URI component. And the answer, from what you say, would have been “Yes” in earlier versions of the crypto/x509 indirect requirement.
So I guess I should simply comply by updating my self-signed certificates rather than wrestle with the programming interface.
Thanks for the additional info! The Go TLS standard libraries tend to be relatively aggressive at enforcing secure configuration and deprecating legacy behavior. Since the Go driver uses the TLS standard libraries, it also inherits those strict requirements.
As far as a workaround, you could try using the tlsInsecure=true URI option. However, use that with extreme caution because it disables TLS hostname checking, so it may break the security you hoped to add by enabling TLS. Otherwise, as you also concluded, there’s not really a way to override that specific behavior in Go 1.17+ and you’re stuck updating your certs.
tlsInsecure=true does the trick, @Matt_Dale
It’s the Dev installation, not exposed outside, so I’m not worried about the insecurity.
The Prod installation will have a genuine certificate.
Thanks for your help.