Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-90267

Server doesn't validate custom CA with tlsUseSystemCA parameter

    • Type: Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 5.0.25
    • Component/s: None
    • None
    • Server Security
    • ALL
    • Security 2024-05-27, Security 2024-06-10, Security 2024-06-24, Security 2024-07-08, Security 2024-07-22, Security 2024-08-19, Security 2024-09-02, Security 2024-09-16, Security 2024-09-30, Security 2024-10-14

      Starting from 5.0.25 server version and including the parameter tlsUseSystemCA into start script we start getting "peer validation failed" when custom CA chain was imported into Ubuntu 20.04 system key store. 

      As a workaround we put next configuration item into mongod.conf:

      CAFile: /etc/ssl/certs/ca-certificates.crt
      
      

      As /etc/ssl/certs/ca-certificates.crt file belongs to OS key store, the certificate chain is complete and the problem is in tlsUseSystemCA parameter which doesn't read OS key store in a right way.

      To confirm the theory, here is a log with tlsUseSystemCA (cafile empty):

      {"t":{"$date":"2024-04-29T07:56:20.191+00:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
      {"t":{"$date":"2024-04-29T07:56:20.195+00:00"},"s":"D1", "c":"NETWORK",  "id":5771602, "ctx":"-","msg":"Loading ocsp store","attr":{"cafile":""}}
      

      And with CAFile set to /etc/ssl/certs/ca-certificates.crt (cafile is being set):

      {"t":{"$date":"2024-04-29T11:17:15.351+00:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
      {"t":{"$date":"2024-04-29T11:17:15.367+00:00"},"s":"D1", "c":"NETWORK",  "id":5771602, "ctx":"-","msg":"Loading ocsp store","attr":{"cafile":"/etc/ssl/certs/ca-certificates.crt"}}
      

            Assignee:
            brad.moore@mongodb.com Brad Moore
            Reporter:
            barhanow@gmail.com Aleksej Barkhanov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: