-
Type: Bug
-
Resolution: Won't Do
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:
Description
The manual page on configuring SSL suggests that the CAFile option is not needed for the basic configuration, only if configuring the server to use client certificates. I recently configured a MongoDB server with a commercial "real" SSL certificate, and I'm pretty sure the CAFile was required to make it work at all.
The specific error was
connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :
The way I understand it, the CAFile is needed to establish the chain between the certificateKeyFile and whatever root certificates are installed on the operating system and recognized by OpenSSL. Therefore it is somewhat operating system dependent whether the issuer of a certificateKeyFile is directly trusted by a given operating system, but in the general case it is not the case, rather the CAFile bridges the gap from one to the other.