-
Type: Bug
-
Resolution: Cannot Reproduce
-
Priority: Minor - P4
-
None
-
Affects Version/s: 5.0.25
-
Component/s: None
-
None
-
Server Security
-
ALL
-
Security 2024-05-27, Security 2024-06-10, Security 2024-06-24, Security 2024-07-08, Security 2024-07-22, Security 2024-08-19, Security 2024-09-02, Security 2024-09-16, Security 2024-09-30, Security 2024-10-14
Starting from 5.0.25 server version and including the parameter tlsUseSystemCA into start script we start getting "peer validation failed" when custom CA chain was imported into Ubuntu 20.04 system key store.
As a workaround we put next configuration item into mongod.conf:
CAFile: /etc/ssl/certs/ca-certificates.crt
As /etc/ssl/certs/ca-certificates.crt file belongs to OS key store, the certificate chain is complete and the problem is in tlsUseSystemCA parameter which doesn't read OS key store in a right way.
To confirm the theory, here is a log with tlsUseSystemCA (cafile empty):
{"t":{"$date":"2024-04-29T07:56:20.191+00:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"-","msg":"***** SERVER RESTARTED *****"} {"t":{"$date":"2024-04-29T07:56:20.195+00:00"},"s":"D1", "c":"NETWORK", "id":5771602, "ctx":"-","msg":"Loading ocsp store","attr":{"cafile":""}}
And with CAFile set to /etc/ssl/certs/ca-certificates.crt (cafile is being set):
{"t":{"$date":"2024-04-29T11:17:15.351+00:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"-","msg":"***** SERVER RESTARTED *****"} {"t":{"$date":"2024-04-29T11:17:15.367+00:00"},"s":"D1", "c":"NETWORK", "id":5771602, "ctx":"-","msg":"Loading ocsp store","attr":{"cafile":"/etc/ssl/certs/ca-certificates.crt"}}
- depends on
-
SERVER-72839 Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
- Closed