Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-72234

System-wide CA certificate store not used

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 6.0.3
    • Component/s: None
    • Server Security
    • ALL
    • Security 2023-01-23

      My configuration look like this:

       

      net:
        port: 27019
        bindIpAll: true
        ipv6: true
        tls:
          mode: preferTLS
          certificateKeyFile: /home/mongod/mipmdb.pem
          clusterCAFile: /etc/ssl/certs/ca-bundle.crt
          allowConnectionsWithoutCertificates: true
      
      security:
        authorization: enabled
        keyFile: /home/mongod/.mongo.key 

      Documentation says:

      If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.

      If using x.509 authentication, -tlsCAFile or tls.CAFile must be specified unless using -tlsCertificateSelector.

       

      Despite the logfile shows this warning at startup:

      {
          "t": {"$date": "2022-12-19T08:37:18.220+01:00"},
          "s": "W",
          "c": "CONTROL",
          "id": 22133,
          "ctx": "initandlisten",
          "msg": "No client certificate validation can be performed since no CA file has been provided. Please specify an sslCAFile parameter"
      }
       

      So, either documentation is wrong, or mongod failed to use the system-wide CA certificate store

       

       

            Assignee:
            yuan.fang@mongodb.com Yuan Fang
            Reporter:
            wernfried.domscheit@sunrise.net Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: