-
Type: Bug
-
Resolution: Cannot Reproduce
-
Priority: Major - P3
-
Affects Version/s: 1.0.4
-
Component/s: Connectivity
-
None
-
Environment:macOS Big Sur 11.5.1
-
Not Needed
Problem Statement/Rationale
I'm unable to connect to a mongo server with TLS, using the --tlsCertificateSelector option.
Steps to Reproduce
- Create a mongodb server configured with TLS
- Add the certificate bundle (intermediate + leaf) and private key PEM files to the macOS keychain:$ security import carl.crt
2 certificates imported.$ security import carl.key
1 key imported. - Find the SHA1 hash of the leaf certificate.
- Attempt to connect to the mongodb server:$ mongosh --tls --tlsCertificateSelector "thumbprint=55d24e990d1a043a62595a193a4d06a4cf7e4923" --tlsCAFile root_ca.crt --host ec2-18-190-155-116.us-east-2.compute.amazonaws.com{{}}
- Accept the macOS dialog for keychain private key usage
Expected Results
Current Mongosh Log ID: 6112bdfb57e9aaeb125d16e5
Connecting to: mongodb://ec2-18-190-155-116.us-east-2.compute.amazonaws.com:27017/?directConnection=true
Using MongoDB: 5.0.2
Using Mongosh: 1.0.4
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
To help improve our products, anonymous usage data is collected and sent to MongoDB periodically (https://www.mongodb.com/legal/privacy-policy).
You can opt-out by running the disableTelemetry() command.
------
{{ The server generated these startup warnings when booting:}}
{{ 2021-08-10T17:17:12.770+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem}}
{{ 2021-08-10T17:17:13.622+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted}}
------
Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded.
{{ You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js.}}
test>
Actual Results
Current Mongosh Log ID: 6112be1e8c3eed599ddd3c7f
Connecting to: mongodb://ec2-18-190-155-116.us-east-2.compute.amazonaws.com:27017/?directConnection=true
MongoServerSelectionError: connection <monitor> to 18.190.155.116:27017 closed
Additional Notes
When I attempt to connect, I do get the macOS GUI dialog asking for my keychain password to use the private key.
The server side logs show a TLS handshake failure:
{{
{"t":\{"$date":"2021-08-10T18:01:57.516+00:00"},"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn107","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":
{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL peer certificate validation failed: unable to verify the first certificate"},"remote":"10.1.20.201:53131","connectionId":107}}}}
Note that I am able to connect via TLS using files. Specifically, if I use --tls --tlsCertificateKeyFile carl.pem }}{{--tlsCAFile root_ca.crt
}}(Where {{carl.pem is the intermediate CA + leaf + private key PEMs concatenated together)