-
Type:
Task
-
Resolution: Fixed
-
Priority:
Unknown
-
None
-
Component/s: Mongo Orchestration
-
None
-
Not Needed
Certificates in drivers-evergreen-tools were regenerated with SHA256 a few years ago for DRIVERS-575.
mongo-orchestration is still using an old client.pem cert, which dates back seven years to 10gen/mongo-orchestration@60ab9d2. This cert appears to be injected into every internal PyMongo client whenever a configuration uses sslParams (see: common.py, sharded_clusters.py).
On my local system (Python 3.8.10, OpenSSL 1.1.1f), attempting to start an SSL cluster (e.g. load-balancer-ssl.json) emits the following error:
Traceback (most recent call last):
File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 128, in get_ssl_context
ctx.load_cert_chain(certfile, keyfile, passphrase)
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
...
File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 130, in get_ssl_context
raise ConfigurationError(
pymongo.errors.ConfigurationError: Private key doesn't match certificate: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
Presumably, this can be fixed by regenerating the certificate in the mongo-orchestration repository, or just copying over one of the existing certs from drivers-evergreen-tools' x509gen directory.
- is related to
-
DRIVERS-575 Regenerate test certificates with SHA256 signatures
-
- Closed
-