-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Environment:OS:
node.js / npm versions:
Additional info:
-
Developer Tools
-
Not Needed
We're encountering some weird TLS connection state related to the default usage of the system-ca that happens due to the following flow of events:
- User tries to connect to mongodb server
- Server issuer cert is Let's Encrypt
- Let's Encrypt issuer cert is ISRG
- There are two ISRG certs in the user system ca: one is self singed one, another is an expired one signed by DST (this sort of explains why this is a thing)
- When looking up the CA to verify the connection, the ISRG cert with the expired issuer is picked up first
- The expired DST cert is also part of the system CA list. Connection fails with the "certificate has expired" error
Also worth noting that while the issue can be reproduced with Node.js tls.connect method, it doesn't reproduce when using openssl directly and providing the same CA cert list, hinting that the issue might be a bug in Node.js
- is related to
-
COMPASS-8374 Expired certificates in Windows' certificate store cause connection failures
- Needs Triage
-
COMPASS-8300 certificate has expired
- Closed
- related to
-
COMPASS-8300 certificate has expired
- Closed
-
COMPASS-8362 New compass version not connecting to Atlas Server
- Closed