Serverless Private Endpoint in AWS times out

We’re trying to move an application over from an M10 cluster to Serverless, connecting using an AWS Private Endpoint. We had the Private Endpoint working perfectly with the M10 setup, but it just times out while connecting to the Serverless instance with Could not establish stream for node pe-1-REDACTED.REDACTED.mongodb.net:27017: [socket timeout calling hello on 'pe-1-REDACTED.REDACTED.mongodb.net:27017']

  • We have triple-checked all configuration is as per the setup guide.
  • We have destroyed everything and configured it again from scratch in both Atlas and AWS.
  • We are able to connect to the Serverless instance from outside the AWS VPC.
  • We have checked the routing and security groups with VPC Reachability Analyser and VPC Flow Logs and confirmed everything is allowed and working.
  • We have confirmed the DNS SRV records and CNAME of the node to the Private Endpoint hostname are all correct.
  • We are using the latest PHP MongoDB extension (1.14.1) and package (1.13.1) in our application.

We’re at a loss as to what to try. Any ideas?

This looks like a TLS negotiation issue, as we are able to connect if we set the tlsAllowInvalidCertificates URI option to true. I don’t understand why it’s resulting in the error in the original post, rather than throwing an error about the certificate.

Following this thread. Really frustrating issue !

Hi @Jaik_Dean,
This does not sound like the desired behavior. Please can you please open a support ticket so we can look into your issue?

Sincerely,
Vishal
MongoDB Atlas Serverless PM team

With some more digging and pointers from @Jason_Tran, we’ve found out what’s going on here.

The PHP driver is calling the certificate’s OCSP endpoint during TLS negotiation, to check if the certificate authority has been revoked. Our network has outbound port 80 (HTTP) traffic blocked, so this check was failing. We are able to disable this check with either of these connection options and have a working connection:

  • tlsDisableCertificateRevocationCheck
  • tlsDisableOCSPEndpointCheck

What’s interesting is that connecting using mongoshell works even with port 80 blocked. I don’t know where the underlying difference between the PHP driver and mongoshell is that determines whether the OCSP check is performed. It’s getting to the limit of my knowledge around responsibilities and interactions of the different layers of drivers, OpenSSL etc.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.