-
Type:
Bug
-
Resolution: Done
-
Priority:
Minor - P4
-
None
-
Affects Version/s: 6.0.3
-
Component/s: None
-
Server Security
-
ALL
-
Security 2023-01-23
My configuration look like this:
net: port: 27019 bindIpAll: true ipv6: true tls: mode: preferTLS certificateKeyFile: /home/mongod/mipmdb.pem clusterCAFile: /etc/ssl/certs/ca-bundle.crt allowConnectionsWithoutCertificates: true security: authorization: enabled keyFile: /home/mongod/.mongo.key
Documentation says:
If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.
If using x.509 authentication, -tlsCAFile or tls.CAFile must be specified unless using -tlsCertificateSelector.
Despite the logfile shows this warning at startup:
{
"t": {"$date": "2022-12-19T08:37:18.220+01:00"},
"s": "W",
"c": "CONTROL",
"id": 22133,
"ctx": "initandlisten",
"msg": "No client certificate validation can be performed since no CA file has been provided. Please specify an sslCAFile parameter"
}
So, either documentation is wrong, or mongod failed to use the system-wide CA certificate store
- is related to
-
-
- Closed
-
-
-
- Closed
-