Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2190

mongo-orchestration client.pem cert uses outdated hash algorithm

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Mongo Orchestration
    • None
    • Not Needed

      Certificates in drivers-evergreen-tools were regenerated with SHA256 a few years ago for DRIVERS-575.

      mongo-orchestration is still using an old client.pem cert, which dates back seven years to 10gen/mongo-orchestration@60ab9d2. This cert appears to be injected into every internal PyMongo client whenever a configuration uses sslParams (see: common.py, sharded_clusters.py).

      On my local system (Python 3.8.10, OpenSSL 1.1.1f), attempting to start an SSL cluster (e.g. load-balancer-ssl.json) emits the following error:

      Traceback (most recent call last):
        File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 128, in get_ssl_context
          ctx.load_cert_chain(certfile, keyfile, passphrase)
      ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
      
      During handling of the above exception, another exception occurred:
      
      Traceback (most recent call last):
      ...
        File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 130, in get_ssl_context
          raise ConfigurationError(
      pymongo.errors.ConfigurationError: Private key doesn't match certificate: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
      

      Presumably, this can be fixed by regenerating the certificate in the mongo-orchestration repository, or just copying over one of the existing certs from drivers-evergreen-tools' x509gen directory.

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: