Unable to connect to MongoDB using SSL/TLS

Vaibhav_Dalvi1 · August 3, 2021, 12:09pm

I am trying to connect to MongoDB server through mongo client and facing following error:

SSL peer certificate validation failed: self signed certificate

Detailed error message is:

mongo --tls --tlsCertificateKeyFile /etc/ssl/test-client.pem --tlsCAFile /etc/ssl/test-ca.pem
2MongoDB shell version v4.4.6 3connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb 4{“t”:{"$date":“2021-07-30T09:29:50.080Z”},“s”:“E”, “c”:“NETWORK”, “id”:23256, “ctx”:“js”,“msg”:“SSL peer certificate validation failed”,“attr”:{“error”:“SSL peer certificate validation failed: self signed certificate”}} 5Error: couldn’t connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate : 6connect@src/mongo/shell/mongo.js:374:17 7@(connect):2:6 8exception: connect failed 9exiting with code 1

I have followed steps given on MongoDB site to generate the Server, client certificates and pem files:
Appendix A - OpenSSL CA Certificate for Testing

and followed steps given for client certificates for testing.
OS and Server details:
OS: CentOS 7 (CentOS Linux release 7.8.2003 (Core))
MongoDB Server: MongoDB server version: 4.4.6
MongoDB shell version: v4.4.6

Am I missing something?

Please let me know if you need more details on configuration.

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
  tls:
     mode: requireTLS
     certificateKeyFile: /etc/ssl/test-server1.pem
     CAFile: /etc/ssl/test-ca.pem

Ramachandra_Tummala · August 3, 2021, 4:40pm

Try with --host option
as per below example from mongo docs
mongo --tls --host hostname.example.com --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem

Vaibhav_Dalvi1 · August 4, 2021, 2:19am

It’s NOT working even we provide host option.

mongo  --tls --host localhost  --tlsCertificateKeyFile /etc/ssl/test-client.pem --tlsCAFile /etc/ssl/test-ca.pem 
MongoDB shell version v4.4.6
connecting to: mongodb://localhost:27017/?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2021-08-04T02:14:38.694Z"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate"}}
Error: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1



mongo  --tls --host localhost.localdomain  --tlsCertificateKeyFile /etc/ssl/test-client.pem --tlsCAFile /etc/ssl/test-ca.pem A
MongoDB shell version v4.4.6
connecting to: mongodb://localhost.localdomain:27017/A?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2021-08-04T02:15:22.873Z"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate"}}
Error: couldn't connect to server localhost.localdomain:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1

Please advice.

chris · August 4, 2021, 4:34pm

Certificates are hard. Using some CA software can help this process a lot.

Something is self signed in that chain(other than the root) start with checking the Intermediate authority, server and client certificates and see if any have the Issuer == Subject.

openssl x509 -in /path/to/server.pem -noout -subject -issuer
subject=CN = Example MongoDB
issuer=CN = Example Intermediate CA

openssl x509 -in /path/to/intermediate -noout -subject -issuer
subject=CN = Example Intermediate CA
issuer=CN = Example_ROOT_CA

Also inspecting the certificate chain presented by the server can be of value, following the appendix instructions there should only be one certificate as a bundle is not created.

echo Q | openssl s_client -connect hostname:27017 -showcerts

Vaibhav_Dalvi1 · August 5, 2021, 2:27am

Thanks @chris .

It will be great help if you could please point me to any documentation or blog which describes this whole certificate creation and using those procedure in detail.

I am really stuck with this. It’s very much hard to configure and use SSL connection with MongoDB.

Ramachandra_Tummala · August 5, 2021, 2:38am

Is localhost your hostname?
The host parameter should match with CN from your certificate i,e when you present certificate it will verify against the server
I think the certificate needs to be generated different way if you want to connect with localhost

Vaibhav_Dalvi1 · August 5, 2021, 2:42am

Thanks @Ramachandra_Tummala for quick response. I really appreciate it.

Is localhost your hostname?
Yes.

The host parameter should match with CN from your certificate i,e when you present certificate it will verify against the server

CN and host parameter is same.

I think the certificate needs to be generated different way if you want to connect with localhost

What is that? Let me know if you have any idea.

Ramachandra_Tummala · August 5, 2021, 2:18pm

Did you try --tlsAllowInvalidCertificates & --tlsAllowInvalidHostnames .
Not recommended but just to test

Check these links for localhost certs generation

https://www.selfsignedcertificate.com/

chris · August 5, 2021, 2:22pm

@Ramachandra_Tummala That creates self signed certificates.

The Appendices referenced in the earlier walk through the creation of a CA enabling a proper chain of trust and distribution of a CA file.

Certificates from that link will be no better then what they have right this minute.