MongoDB connecting over SSL: What am I doing wrong?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


MongoDB connecting over SSL: What am I doing wrong?



Overview: I have an application server running PHP 7, connecting to a separate database server running MongoDB 3.6.x using the MongoDB PHP userland library. I have firewall rules preventing access to the MongoDB server from all sources except the local and private interfaces (i.e. disallowing public IP access).



Connections via PHP look something like this:


$context_information = array(
"ssl" => array(
"allow_self_signed" => false,
"verify_peer" => true,
"verify_peer_name" => true,
"verify_expiry" => true,
"cafile" => "/path/to/ca_bundle"
));

$context = stream_context_create($context_information);
$connection = new MongoDBClient(
$host,
array('ssl'=>true),
array('context'=> $context)
);



My MongoDB configuration looks something like this:


net:
port: 27017
bindIp: 127.0.0.1,10.138.196.241
ssl:
mode: requireSSL
PEMKeyFile: /path/to/my_ca_signed_cert
CAFile: /path/to/my_ca_bundle



my_ca_signed_cert is a .pem file generated using my openssl-generated RSA private key, as well as the CA-provided .crt file, in the manner described in the MongoDB manual, e.g. cat mongodb.key mongodb.crt > mongodb.pem. my_ca_bundle is the .ca-bundle provided to me by the CA.


my_ca_signed_cert


.pem


.crt


cat mongodb.key mongodb.crt > mongodb.pem


my_ca_bundle


.ca-bundle



Additionally, the ca_bundle described in the PHP context is the same .ca-bundle file as in the MongoDB config.


ca_bundle


.ca-bundle



Problem: I continue to receive the following error:



[23-Jul-2018 16:33:33 America/Los_Angeles] PHP Fatal error: Uncaught MongoDBDriverExceptionConnectionTimeoutException: No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster on. . .


serverSelectionTryOnce



This issue persists even if I comment out the CAFile line for the MongoDB config. Also of note is that I can connect successfully when setting allow_self_signed to true if CAFile is commented out, but not when it's left uncommented.


CAFile


allow_self_signed


true


CAFile



Finally, when attempting to connect via the MongoDB shell, I get the following error:



2018-07-23T23:37:02.992+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get issuer certificate



2018-07-23T23:37:02.992+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get issuer certificate :



connect@src/mongo/shell/mongo.js:251:13



@(connect):1:6



exception: connect failed



Expected Behavior: I don't want to use client certificate authentication for connecting to the database. All I want at present is for traffic to be encrypted. This means being able to connect to the database without allowing self-signed certificates.



Notes:



I have a cert set up successfully on the application server for HTTPS connectivity. Additionally, when testing the cert referenced in this question itself, I've successfully run verification on the files using openssl verify -CAfile /path/to/my_ca_bundle /path/to/my_ca_signed_cert.


openssl verify -CAfile /path/to/my_ca_bundle /path/to/my_ca_signed_cert



Everything in my application code works when SSL is disabled or when enabled while allowing self-signed certs.



The documentation on all of this is incredibly vague on a number of points, so I'm not sure where my configuration is going wrong. What should I be looking into to resolve this problem?



This question has not received enough attention.



This question has received no answers or discussion. Expected is an answer that satisfies the requirements of the problem space, specifically establishing TLS/SSL connections to a MongoDB server with certificate validation (without client-side certificate authentication).









By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Makefile test if variable is not empty

Makefile test if variable is not empty In a makefile I'm trying to I've created this simplified makefile to demonstrate my problem. Neither make a or make b executes the body of the if, I don't understand why not. make a make b .PHONY: a b a: $(eval MY_VAR = $(shell echo whatever)) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should be executed" endif @echo done b: $(eval MY_VAR = $(shell echo '')) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should not be executed" endif @echo done I'm using $ make --version GNU Make 3.81 There are several problems, and misunderstandings. Your MY_VAR is a make variable, set it without a <tab> to its value, and no need to $(eval ...) . MY_VAR:=$(shell echo whatever) is enough. No <tab> before $(info ...) neither, this is make – Zelnes
Read more

Will Oldham

Image
"Palace Music" redirects here. For the racehorse, see Palace Music (horse). Bonnie 'Prince' Billy Will Oldham, June 6, 2009 Background information Birth name William Oldham Also known as Palace Brothers Palace Music Bonnie 'Prince' Billy Born ( 1970-12-24 ) December 24, 1970 (age 47) Louisville, Kentucky, United States Genres Folk alternative country country freak folk [1] Years active 1993–present Labels Drag City, Domino, Spunk Associated acts Dawn McCarthy, The Cairo Gang, Mekons, Matt Sweeney, Mick Turner, Tortoise, Trembling Bells, Harem Scarem, The Picket Line, Alex Neilson, Björk, Slint Website www.bonnieprincebilly.com Will Oldham (born December 24, 1970), better known by the stage name Bonnie 'Prince' Billy , is an American singer-songwriter and actor. From 1993 to 1997, he performed and recorded under variations of the Palace name, including the Palace Brothers, Palace Songs, and Palace Music. After releasing material under his own name,
Read more

'Series' object is not callable Error / Statsmodels illegal variable name

Image
Clash Royale CLAN TAG #URR8PPP 'Series' object is not callable Error / Statsmodels illegal variable name Update: You can download my dataset here. I am running a simple OLS regression with statsmodels and pandas dataframe as following: import statsmodels.formula.api as sm import pandas as pd df=pd.read_csv("exp.csv") #df is a dataframe that I have containing many variable names such as AAPL, SPY, INF, etc. for column in df: result=sm.ols(formula="SPY"+" ~ "+column, data=df).fit() However, one of the column name in df is INF . I guess maybe INF is a reserved word for pasty, the code gives me the following error: INF INF Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/ap248/.local/easybuild/software/2017/Core/miniconda2/4.3.27/lib/python2.7/site-packages/statsmodels/base/model.py", line 155, in from_formula missing=missing) File "/home/ap248/.local/easybuild/softw
Read more