Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1730

Mongosh does not prompt for a passphrase for tlsCertificateKeyFilePassword

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 2.3.3
    • Affects Version/s: 2.1.1, 2.1.5
    • Component/s: CLI Module, UI / UX
    • None
    • Environment:
      OS: Ubuntu 20.04
      node.js / npm versions:
      Additional info:
    • Developer Tools
    • 3
    • Not Needed
    • Iteration Milky Way

      Problem Statement/Rationale

      When using TLS enabled with a Certificate that requires a password, the mongosh does not prompt for a passphrase automatically, failing with an error.

      Please be sure to attach relevant logs with any sensitive data redacted.
      How to retrieve logs for: Compass; Shell

      Steps to Reproduce

      1. Deploy a supported MongoDB version, with TLS enabled:

       

      mongod --version
      db version v6.0.6-5
      Build Info: {
          "version": "6.0.6-5",
          "gitVersion": "b2fe1a70d01c32d2f2d6848dc3423aa2cfead3b2",
          "openSSLVersion": "OpenSSL 1.0.2k-fips  26 Jan 2017",
          "modules": [],
          "allocator": "tcmalloc",
          "environment": {
              "distarch": "x86_64",
              "target_arch": "x86_64"
          }
      }
      mongod --replSet replset --dbpath /mongo_data/606single_replica/replset/rs1/db --logpath /mongo_data/606single_replica/replset/rs1/mongod.log --port 6065 --keyFile /mongo_data/606single_replica/keyfile --wiredTigerCacheSizeGB 1 --directoryperdb --tlsMode=requireTLS --tlsCertificateKeyFile=/mongo_data/606single_replica/certificates/mongodb.pem --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFilePassword=xxxxxx --fork

      2. Using mongosh, tries to connect without --tlsCertificateKeyFilePassword:

      $ mongosh --version
      2.1.5

       

      $ mongosh mongodb://admin:sekret@127.0.0.1:6065/admin?authSource=admin --tls --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFile /mongo_data/606single_replica/certificates/client.pem --tlsAllowInvalidCertificates Current Mongosh Log ID:    65e2527b38f01633f3179e44 Connecting to:        mongodb://<credentials>@127.0.0.1:6065/admin?authSource=admin&directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsCAFile=%2Fmongo_data%2F606single_replica%2Fcertificates%2Fmongodb-cert.pem&tlsCertificateKeyFile=%2Fmongo_data%2F606single_replica%2Fcertificates%2Fclient.pem&tlsAllowInvalidCertificates=true&appName=mongosh+2.1.1 Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
      

       

      3.  But using the old mongo client with the same connection string, it prompts the passphrase:

      $ /opt/mongo/5.0.18/bin/mongo mongodb://admin:sekret@127.0.0.1:6065/admin?authSource=admin --tls --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFile /mongo_data/606single_replica/certificates/client.pem --tlsAllowInvalidCertificates
      Enter PEM passphrase
      MongoDB shell version v5.0.18
      connecting to: mongodb://127.0.0.1:6065/admin?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

      Expected Results

      Mongosh should prompt the PEM passphrase.

      Actual Results

      Mongosh does not prompt the PEM passphrase.

      Additional Notes

      Any additional information that may be useful to include.

            Assignee:
            gagik.amaryan@mongodb.com Gagik Amaryan
            Reporter:
            jean_nsilva@hotmail.com Jean da Silva
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: