-
Type: Bug
-
Resolution: Done
-
Priority: Minor - P4
-
None
-
Affects Version/s: 6.0.3
-
Component/s: None
-
Server Security
-
ALL
-
Security 2023-01-23
My configuration look like this:
net: port: 27019 bindIpAll: true ipv6: true tls: mode: preferTLS certificateKeyFile: /home/mongod/mipmdb.pem clusterCAFile: /etc/ssl/certs/ca-bundle.crt allowConnectionsWithoutCertificates: true security: authorization: enabled keyFile: /home/mongod/.mongo.key
Documentation says:
If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.
If using x.509 authentication, -tlsCAFile or tls.CAFile must be specified unless using -tlsCertificateSelector.
Despite the logfile shows this warning at startup:
{ "t": {"$date": "2022-12-19T08:37:18.220+01:00"}, "s": "W", "c": "CONTROL", "id": 22133, "ctx": "initandlisten", "msg": "No client certificate validation can be performed since no CA file has been provided. Please specify an sslCAFile parameter" }
So, either documentation is wrong, or mongod failed to use the system-wide CA certificate store
- is related to
-
SERVER-72839 Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
- Closed
-
SERVER-72846 Fix misleading startup warning about client certificate validation
- Closed