No subject alternative names matching IP address // Subject Alternative Name only DNS entry

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Done
    • Priority: Major - P3
    • None
    • Affects Version/s: 3.2.1
    • Component/s: Connection Management
    • None
    • Environment:
      Windows, Linux
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Hello,

      I´m trying to connect to a mongod instance on CentOS with the Java driver from my windows-pc. The mongod is configured as follows:

         ssl:
    mode: requireSSL
    PEMKeyFile: /tmp/ssl/mongodb.pem
    CAFile: /tmp/ssl/cert-chain.pem
    allowConnectionsWithoutCertificates: true

      A connection from my windows with the commandline works:

      mongod <server:port> --ssl --sslCAFile <certicate-ca>

      Also from MongoChef, but I get an exception when I try to execute the following snippet:

      MongoClientOptions clientOptions = MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(false).build();
MongoClient mongoClient = new MongoClient("<mongod-dnsname>", clientOptions);

MongoDatabase db = mongoClient.getDatabase("test");
MongoCollection<Document> collection = db.getCollection("testColl");

System.out.println(collection.count());

      The stacktrace is:

      2016-05-03 08:02:28,004 INFO  cluster: Cluster created with settings {hosts=[<mongod-dnsname>], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=500}
2016-05-03 08:02:28,086 DEBUG cluster: Updating cluster description to  {type=UNKNOWN, servers=[{address=<mongod-dnsname>, type=UNKNOWN, state=CONNECTING}]
2016-05-03 08:02:28,132 INFO  cluster: No server chosen by ReadPreferenceServerSelector{readPreference=primary} from cluster description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, all=[ServerDescription{address=<mongod-dnsname>, type=UNKNOWN, state=CONNECTING}]}. Waiting for 30000 ms before timing out
2016-05-03 08:02:28,147 DEBUG connection: Closing connection connectionId{localValue:1}
2016-05-03 08:02:28,149 DEBUG connection: Closing connection connectionId{localValue:1}
2016-05-03 08:02:28,150 INFO  cluster: Exception in monitor thread while connecting to server <mongod-dnsname>
com.mongodb.MongoSocketWriteException: Exception sending message
	at com.mongodb.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:462)
	at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:205)
	at com.mongodb.connection.CommandHelper.sendMessage(CommandHelper.java:89)
	at com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32)
	at com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:83)
	at com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:43)
	at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:115)
	at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:128)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <mongod-ip> found
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at com.mongodb.connection.SocketStream.write(SocketStream.java:75)
	at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:201)
	... 7 more
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address <mongod-ip> found
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
	... 16 more

      The certificate was also used for the application running on the same server without any trouble. It contains following SAN entry:
      X509v3 Subject Alternative Name:
      DNS:<mongod-dnsname>

            Assignee:
            Unassigned
            Reporter:
            Stefan Siegl
            None
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: