Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-947

Unable to use --tlsCertificateSelector on macOS

    • Type: Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Priority: Icon: Major - P3 Major - P3
    • No version
    • Affects Version/s: 1.0.4
    • Component/s: Connectivity
    • None
    • Environment:
      macOS Big Sur 11.5.1
    • Not Needed

      Problem Statement/Rationale

       I'm unable to connect to a mongo server with TLS, using the --tlsCertificateSelector option.

      Steps to Reproduce

      • Create a mongodb server configured with TLS
      • Add the certificate bundle (intermediate + leaf) and private key PEM files to the macOS keychain:$ security import carl.crt
        2 certificates imported.
        $ security import carl.key
        1 key imported.
      • Find the SHA1 hash of the leaf certificate.
      • Attempt to connect to the mongodb server:$ mongosh --tls --tlsCertificateSelector "thumbprint=55d24e990d1a043a62595a193a4d06a4cf7e4923" --tlsCAFile root_ca.crt --host ec2-18-190-155-116.us-east-2.compute.amazonaws.com{{}}
      • Accept the macOS dialog for keychain private key usage

      Expected Results

      Current Mongosh Log ID: 6112bdfb57e9aaeb125d16e5
      Connecting to: mongodb://ec2-18-190-155-116.us-east-2.compute.amazonaws.com:27017/?directConnection=true
      Using MongoDB: 5.0.2
      Using Mongosh: 1.0.4

      For mongosh info see: https://docs.mongodb.com/mongodb-shell/

      To help improve our products, anonymous usage data is collected and sent to MongoDB periodically (https://www.mongodb.com/legal/privacy-policy).
      You can opt-out by running the disableTelemetry() command.

      ------
      {{ The server generated these startup warnings when booting:}}
      {{ 2021-08-10T17:17:12.770+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem}}
      {{ 2021-08-10T17:17:13.622+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted}}
      ------

      Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded.
      {{ You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js.}}
      test>

      Actual Results

      Current Mongosh Log ID: 6112be1e8c3eed599ddd3c7f
      Connecting to: mongodb://ec2-18-190-155-116.us-east-2.compute.amazonaws.com:27017/?directConnection=true
      MongoServerSelectionError: connection <monitor> to 18.190.155.116:27017 closed

      Additional Notes

      When I attempt to connect, I do get the macOS GUI dialog asking for my keychain password to use the private key.

      The server side logs show a TLS handshake failure:

      {{

      {"t":\{"$date":"2021-08-10T18:01:57.516+00:00"}

      ,"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn107","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":

      {"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL peer certificate validation failed: unable to verify the first certificate"}

      ,"remote":"10.1.20.201:53131","connectionId":107}}}}

      Note that I am able to connect via TLS using files. Specifically, if I use --tls --tlsCertificateKeyFile carl.pem }}{{--tlsCAFile root_ca.crt

      }}(Where {{carl.pem is the intermediate CA + leaf + private key PEMs concatenated together)

            Assignee:
            Unassigned Unassigned
            Reporter:
            carl@smallstep.com Carl Tashian
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: