-
Type: New Feature
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: 2.1.1, 2.1.5
-
Component/s: CLI Module, UI / UX
-
None
-
Environment:OS: Ubuntu 20.04
node.js / npm versions:
Additional info:
-
Developer Tools
-
3
-
Not Needed
-
Iteration Milky Way
Problem Statement/Rationale
When using TLS enabled with a Certificate that requires a password, the mongosh does not prompt for a passphrase automatically, failing with an error.
Please be sure to attach relevant logs with any sensitive data redacted.
How to retrieve logs for: Compass; Shell
Steps to Reproduce
1. Deploy a supported MongoDB version, with TLS enabled:
mongod --version db version v6.0.6-5 Build Info: { "version": "6.0.6-5", "gitVersion": "b2fe1a70d01c32d2f2d6848dc3423aa2cfead3b2", "openSSLVersion": "OpenSSL 1.0.2k-fips 26 Jan 2017", "modules": [], "allocator": "tcmalloc", "environment": { "distarch": "x86_64", "target_arch": "x86_64" } }
mongod --replSet replset --dbpath /mongo_data/606single_replica/replset/rs1/db --logpath /mongo_data/606single_replica/replset/rs1/mongod.log --port 6065 --keyFile /mongo_data/606single_replica/keyfile --wiredTigerCacheSizeGB 1 --directoryperdb --tlsMode=requireTLS --tlsCertificateKeyFile=/mongo_data/606single_replica/certificates/mongodb.pem --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFilePassword=xxxxxx --fork
2. Using mongosh, tries to connect without --tlsCertificateKeyFilePassword:
$ mongosh --version 2.1.5
$ mongosh mongodb://admin:sekret@127.0.0.1:6065/admin?authSource=admin --tls --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFile /mongo_data/606single_replica/certificates/client.pem --tlsAllowInvalidCertificates Current Mongosh Log ID: 65e2527b38f01633f3179e44 Connecting to: mongodb://<credentials>@127.0.0.1:6065/admin?authSource=admin&directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsCAFile=%2Fmongo_data%2F606single_replica%2Fcertificates%2Fmongodb-cert.pem&tlsCertificateKeyFile=%2Fmongo_data%2F606single_replica%2Fcertificates%2Fclient.pem&tlsAllowInvalidCertificates=true&appName=mongosh+2.1.1 Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
3. But using the old mongo client with the same connection string, it prompts the passphrase:
$ /opt/mongo/5.0.18/bin/mongo mongodb://admin:sekret@127.0.0.1:6065/admin?authSource=admin --tls --tlsCAFile /mongo_data/606single_replica/certificates/mongodb-cert.pem --tlsCertificateKeyFile /mongo_data/606single_replica/certificates/client.pem --tlsAllowInvalidCertificates Enter PEM passphrase MongoDB shell version v5.0.18 connecting to: mongodb://127.0.0.1:6065/admin?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Expected Results
Mongosh should prompt the PEM passphrase.
Actual Results
Mongosh does not prompt the PEM passphrase.
Additional Notes
Any additional information that may be useful to include.