Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-13339

CAFile (maybe) needed for SSL enabled servers

XMLWordPrintableJSON

      Description

      https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-tls-ssl-certificate-and-key

      The manual page on configuring SSL suggests that the CAFile option is not needed for the basic configuration, only if configuring the server to use client certificates. I recently configured a MongoDB server with a commercial "real" SSL certificate, and I'm pretty sure the CAFile was required to make it work at all.

      The specific error was

      connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :

      The way I understand it, the CAFile is needed to establish the chain between the certificateKeyFile and whatever root certificates are installed on the operating system and recognized by OpenSSL. Therefore it is somewhat operating system dependent whether the issuer of a certificateKeyFile is directly trusted by a given operating system, but in the general case it is not the case, rather the CAFile bridges the gap from one to the other.

      Scope of changes

      Impact to Other Docs

      MVP (Work and Date)

      Resources (Scope or Design Docs, Invision, etc.)

            Assignee:
            Unassigned Unassigned
            Reporter:
            henrik.ingo@mongodb.com Henrik Ingo (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              1 year, 25 weeks, 3 days ago