When creating the SSL socket against the server, if a CA cert file containing an intermediate certificate and a root CA certificate is used, only the intermediate certificate is actually added to the X509 Store and the PEER validation may fail.
OpenSSL::X509::Certificate.new is only able to parse the first certificate found in the data provided.
The code is https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/socket/ssl.rb#L180
cert_store.add_cert(OpenSSL::X509::Certificate.new(File.open(options[:ssl_ca_cert])))
OpenSSL::X509::Store.new.add_file instead, is able to add all the certificates found in a file:
add_file(file) → self
Adds the certificates in file to the certificate store. The file can contain multiple PEM-encoded certificates.
see https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/X509/Store.html
The fix would be to use add_file instead of manually creating a Certificate object and then adding it to the X509 store
- related to
-
RUBY-1767 TLS verification cannot be configured via URI options due to missing private key URI option
- Closed
-
DRIVERS-678 Test TLS certificate intermediates
- Backlog
-
RUBY-1822 Support providing certificate chains as client certificates
- Closed
-
RUBY-1823 Support adding multiple CA certificates
- Closed