MongoDB version:
mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod --version db version v4.1.7-40-gbfb0aec git version: bfb0aec447f39633694dcc4418f2a5a5a167937e allocator: system modules: enterprise build environment: distarch: x86_64 target_arch: x86_64
Start mongod with the attached certificates ( server.pem, ca.pem):
$ mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod -v --sslOnNormalPorts --sslWeakCertificateValidation --sslCAFile=ca.pem --sslPEMKeyFile=server.pem --dbpath tmp-data
Attempt to connect with the mongo shell (or any driver) with client.pem:
$ mongo --ssl --sslAllowInvalidCertificates --sslPEMKeyFile=client.pem MongoDB shell version v4.0.1 connecting to: mongodb://127.0.0.1:27017 2019-01-18T16:25:57.426-0800 W NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED 2019-01-18T16:25:57.426-0800 E QUERY [js] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' : connect@src/mongo/shell/mongo.js:257:13 @(connect):1:6 exception: connect failed
The server logs the following error:
2019-01-18T16:25:57.387-0800 I NETWORK [listener] connection accepted from 127.0.0.1:55477 #2 (1 connection now open) 2019-01-18T16:25:57.420-0800 D - [conn2] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 117 2019-01-18T16:25:57.423-0800 D - [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/util/icu.cpp 85 2019-01-18T16:25:57.423-0800 D - [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/transport/session_asio.h 633 2019-01-18T16:25:57.423-0800 I NETWORK [conn2] Error receiving request from client: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING. Ending connection from 127.0.0.1:55477 (connection id: 2) 2019-01-18T16:25:57.423-0800 I NETWORK [conn2] end connection 127.0.0.1:55477 (0 connections now open)
These certificates work without a problem on MongoDB 2.6-4.0 so I think there has been a regression somewhere. Also worth noting is that this failure happens on all platforms, not just macOS. This issue is currently blocking drivers from testing against the latest version of the server.