Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45015

Mongo Shell fails to connect with CSSMERR_TP_CERT_SUSPENDED error

    • Type: Icon: Bug Bug
    • Resolution: Community Answered
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.2.0
    • Component/s: Shell
    • None
    • ALL
    • Hide

      Set up a TLS secured MongoDB Cluster that verifies both client and server certificates. Try connecting with mongo shell 4.2.0 from MacOSX 10.15.1

      Show
      Set up a TLS secured MongoDB Cluster that verifies both client and server certificates. Try connecting with mongo shell 4.2.0 from MacOSX 10.15.1
    • Security 2019-12-30, Security 2019-01-13, Security 2019-01-27

      Connecting to a TLS Secured MongoDB remote instance from MacOSX 10.15.1 via the mongo shell fails with the following error:

      2019-12-08T10:31:11.760+0100 D1 NETWORK  [main] Client Certificate Name: CN=client,O=Company,ST=Germany,C=DE
      
      MongoDB shell version v4.2.0
      
      connecting to: mongodb://localhost:27017/mongo?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
      
      2019-12-08T10:31:11.798+0100 D1 NETWORK  [js] creating new connection to:localhost:27017
      
      2019-12-08T10:31:11.997+0100 D1 -        [js] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 116
      
      2019-12-08T10:31:12.023+0100 E  NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected
      
      2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/transport/session_asio.h 251
      
      2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: InternalError: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/scripting/mozjs/mongo.cpp 832
      
      2019-12-08T10:31:12.023+0100 E  QUERY    [js] Error: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected :
      
      connect@src/mongo/shell/mongo.js:341:17
      
      @(connect):2:6
      
      2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: Location12513: connect failed src/mongo/shell/shell_utils.cpp 416
      
      2019-12-08T10:31:12.023+0100 I  QUERY    [js] MozJS GC prologue heap stats -  total: 4033838 limit: 0
      
      2019-12-08T10:31:12.026+0100 I  QUERY    [js] MozJS GC epilogue heap stats -  total: 14 limit: 0
      
      2019-12-08T10:31:12.026+0100 D1 -        [main] User Assertion: Location12513: connect failed src/mongo/scripting/mozjs/proxyscope.cpp 320
      
      2019-12-08T10:31:12.026+0100 F  -        [main] exception: connect failed
      
      2019-12-08T10:31:12.026+0100 E  -        [main] exiting with code 1
      
      

      This is the redacted command used:

      `mongo --host $HOSTNAME --port $PORT --username $USER --password $PASSWORD --authenticationDatabase admin --tls --tlsCertificateKeyFile $CLIENTKEY --tlsCAFile $CA_CERTIFICATE`
      

      The connection works with the same parameters when executed directly on the Ubuntu 18.04 server. It works as well when specifying the exact same certificates and authentication details using Compass running on MacOS.

      Downgrading to mongo v3.6.14 and using --ssl, --sslPEMKeyFile and --sslCAFile in place of the respective tls flags works as well.

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            jascha.brinkmann+mongodb@gmail.com Jascha Brinkmann
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: