TLS/SSL issue to connect MongoDB Atlas from PHP

Rumaiz_Mohomed · October 6, 2020, 4:10pm

Hi All,
I am trying to connect my PHP (CodeIgniter) application to MongoDB Atlas. But connection failed and reason is TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.

I am using
-PHP 7.4.7 (Codeigniter Framework)
-MongoDB Extention version 1.7.4
-Ubuntu 18.4
-Xampp

Full error log is

#### An uncaught Exception was encountered

Type: MongoDB\Driver\Exception\ConnectionTimeoutException

Message: No suitable servers found: `serverSelectionTimeoutMS` expired: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'bohoz-shard-00-02.817p7.azure.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'bohoz-shard-00-01.817p7.azure.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:

Filename: /home/rumaiz/MyWork/AAYUS/php_works/mvm-admin-portal/vendor/mongodb/mongodb/src/functions.php

Line Number: 431

Please help to resolve this issue.

chris · October 6, 2020, 7:56pm

Try updating ca-certificates first.

sudo apt-get update
sudo apt-get -y install ca-certificates

Rumaiz_Mohomed · October 7, 2020, 5:42am

Tried this. But not worked.

rumaiz@rumaiz-HP-ProBook-450-G0:~$ sudo apt-get -y install ca-certificates
Reading package lists… Done
Building dependency tree
Reading state information… Done
ca-certificates is already the newest version (20190110~18.04.1).
0 upgraded, 0 newly installed, 0 to remove and 19 not upgraded.

Still Same error

chris · October 7, 2020, 1:11pm

You should next make sure php is using the system certificate store. It may be that your development environment is overriding the use of the default path.

This is from a vanilla php:7.4.7 container:

php > var_dump(openssl_get_cert_locations());
array(8) {
  ["default_cert_file"]=>
  string(21) "/usr/lib/ssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(18) "/usr/lib/ssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(20) "/usr/lib/ssl/private"
  ["default_default_cert_area"]=>
  string(12) "/usr/lib/ssl"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}

If I remove the DST_Root_CA_X3.pem from my certificate path I get the exact same error.

Steve_N_A · April 27, 2021, 10:55am

This cert thing with MongoDB and PHP has driven me mad and one PITA searching for a solution. to NO AVAIL…But Finally:

I’m running PHP from the command line in server mode to test my PHP code. And got all the errors that you can find on the internet, relating to MongoDB/PHP/apache/Nginx.

This is my final solution to help me move forward:

It may help others in what I say.

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

It will change the default_cert_file used with PHP. I have no idea where it’s changed with PHP config files because it’s certainly not in any php.ini files.

All this aggro all over the place with SSL/TLS is related to setting the correct path to the cert file.

It brings back memories in 2019 when I was low-level testing SSL/TLS (MITM) Secure Appliance Technology.
Regards,
Steve