We have created a self-signed root CA cert, and intermediate CA cert, and a server cert with various subjectaltnames (that map to the hosts in replication)
Since our root cert is not trusted by default we have installed it in all the usual windows trust stores (local user and machine).
This certificate configuration has worked for several clients so we believe it to be ok.
We have configured MondoDB version v3.2.10 like this -
%BINPATH% --replSet %REPLSETNAME% --clusterAuthMode x509 --sslClusterFile %CLUSTERCLIENTCERT% --sslMode requireSSL --sslAllowConnectionsWithoutCertificates --sslPEMKeyFile %KEYFILE% --sslCAFile %CAFILE% --port %PORT% --dbpath=%DBPath% --logpath=%LOGPATH% --serviceName %SERVICENAME% --serviceDisplayName %SERVICENAME% --smallfiles --logappend --auth --install
sslPEMKeyFile does include the full chain, I have seen missing intermediate certs being a problem.
The good -
We have been able to connect various clients, usually by specifying the sslCAFile option (which seems consistent with the documentation)
Robomongo 0.9.0-RC10 also works fine (w/ required sslCAFile option)
For Mongoose we were able to inject our cert into the nodejs trust store.
The bad -
For the MongoDB.Driver (c#) client we are using a connect string that looks like so -
mongodb://somedb:somedb@xxx0,xxx1,xxx2/SomeDB?replicaSet=repset0&ssl=true&readPreference=secondary
The error from the client looks like this -
at MongoDB.Driver.Core.Servers.ServerMonitor.<HeartbeatAsync>d__27.MoveNext()" }, { ServerId: "
Unknown macro: { ClusterId }", EndPoint: "Unspecified/xxx0:27017", State: "Disconnected", Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
If we turn off certificate validation it works.
I'm pretty confident it is a client side trust issue but I can't seem to figure out how to configure the client in this case.
Is this a gap in functionality, documentation, or do you think running in service fabric is an issue?
For the heck of it we tried adding &sslCAFile=cacerts.pem (and copied the file into the distribution at various places) but it had no effect.
Any guidance would be appreciated.
Tim