Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-2184

No subject alternative names matching IP address // Subject Alternative Name only DNS entry

    Details

    • Type: Question
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.2.1
    • Fix Version/s: None
    • Component/s: Connection Management
    • Labels:
      None
    • Environment:
      Windows, Linux
    • # Replies:
      6
    • Last comment by Customer:
      true

      Description

      Hello,

      I´m trying to connect to a mongod instance on CentOS with the Java driver from my windows-pc. The mongod is configured as follows:

         ssl:
          mode: requireSSL
          PEMKeyFile: /tmp/ssl/mongodb.pem
          CAFile: /tmp/ssl/cert-chain.pem
          allowConnectionsWithoutCertificates: true
      

      A connection from my windows with the commandline works:

      mongod <server:port> --ssl --sslCAFile <certicate-ca>
      

      Also from MongoChef, but I get an exception when I try to execute the following snippet:

      MongoClientOptions clientOptions = MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(false).build();
      MongoClient mongoClient = new MongoClient("<mongod-dnsname>", clientOptions);
       
      MongoDatabase db = mongoClient.getDatabase("test");
      MongoCollection<Document> collection = db.getCollection("testColl");
       
      System.out.println(collection.count());
      

      The stacktrace is:

      2016-05-03 08:02:28,004 INFO  cluster: Cluster created with settings {hosts=[<mongod-dnsname>], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=500}
      2016-05-03 08:02:28,086 DEBUG cluster: Updating cluster description to  {type=UNKNOWN, servers=[{address=<mongod-dnsname>, type=UNKNOWN, state=CONNECTING}]
      2016-05-03 08:02:28,132 INFO  cluster: No server chosen by ReadPreferenceServerSelector{readPreference=primary} from cluster description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, all=[ServerDescription{address=<mongod-dnsname>, type=UNKNOWN, state=CONNECTING}]}. Waiting for 30000 ms before timing out
      2016-05-03 08:02:28,147 DEBUG connection: Closing connection connectionId{localValue:1}
      2016-05-03 08:02:28,149 DEBUG connection: Closing connection connectionId{localValue:1}
      2016-05-03 08:02:28,150 INFO  cluster: Exception in monitor thread while connecting to server <mongod-dnsname>
      com.mongodb.MongoSocketWriteException: Exception sending message
      	at com.mongodb.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:462)
      	at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:205)
      	at com.mongodb.connection.CommandHelper.sendMessage(CommandHelper.java:89)
      	at com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32)
      	at com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:83)
      	at com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:43)
      	at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:115)
      	at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:128)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <mongod-ip> found
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
      	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
      	at com.mongodb.connection.SocketStream.write(SocketStream.java:75)
      	at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:201)
      	... 7 more
      Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address <mongod-ip> found
      	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:167)
      	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
      	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
      	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
      	... 16 more
      

      The certificate was also used for the application running on the same server without any trouble. It contains following SAN entry:
      X509v3 Subject Alternative Name:
      DNS:<mongod-dnsname>

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ssiegl Stefan Siegl
              Participants:
              Last commenter:
              Rathi Gnanasekaran
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since reply:
                2 years, 4 weeks, 6 days ago
                Date of 1st Reply: