Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-8322

Expired certificates in the CA list cause connections to fail

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.44.5
    • Affects Version/s: None
    • Component/s: None
    • None
    • Environment:
      OS:
      node.js / npm versions:
      Additional info:
    • Developer Tools
    • Not Needed

      We're encountering some weird TLS connection state related to the default usage of the system-ca that happens due to the following flow of events:

      • User tries to connect to mongodb server
      • Server issuer cert is Let's Encrypt
      • Let's Encrypt issuer cert is ISRG
      • There are two ISRG certs in the user system ca: one is self singed one, another is an expired one signed by DST (this sort of explains why this is a thing)
      • When looking up the CA to verify the connection, the ISRG cert with the expired issuer is picked up first
      • The expired DST cert is also part of the system CA list. Connection fails with the "certificate has expired" error

      Also worth noting that while the issue can be reproduced with Node.js tls.connect method, it doesn't reproduce when using openssl directly and providing the same CA cert list, hinting that the issue might be a bug in Node.js

            Assignee:
            sergey.petushkov@mongodb.com Sergey Petushkov
            Reporter:
            sergey.petushkov@mongodb.com Sergey Petushkov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: