Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-3109

MongoDB driver 3.6.3 sets TLS ServerName to an IP and causes connection to fail

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0, 3.6.6
    • Affects Version/s: 3.6.3, 4.0.0
    • Component/s: None
    • Not Needed

      Using Mongoose 5.11.15 (which uses MongoDB driver 3.6.3), I create a connection with a proper host name but I get the following error:

        err: MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <IP redacted> is not in the cert's list: 
      at NativeConnection.Connection.openUri (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/lib/connection.js:845:32)
      at Mongoose.createConnection (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/lib/index.js:285:17)
      at Function.getConnection (/Users/yenlu/devtools/git/drisk/monorepo/src/common/db/Connection.js:51:41)
      at init (/Users/yenlu/devtools/git/drisk/monorepo/src/gateway-creditcards/server/server.js:34:20)
      at Object.<anonymous> (/Users/yenlu/devtools/git/drisk/monorepo/src/gateway-creditcards/server/index.js:10:1)
      at Module._compile (internal/modules/cjs/loader.js:1063:30)
      at Module._compile (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/pirates/lib/index.js:99:24)
      at Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
      at Object.newLoader [as .js] (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/pirates/lib/index.js:104:7)
      at Module.load (internal/modules/cjs/loader.js:928:32)
      at Function.Module._load (internal/modules/cjs/loader.js:769:14)
      at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
      at Object.<anonymous> (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/@babel/node/lib/_babel-node.js:172:21)
      at Module._compile (internal/modules/cjs/loader.js:1063:30)
      at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
      at Module.load (internal/modules/cjs/loader.js:928:32)
      at Function.Module._load (internal/modules/cjs/loader.js:769:14)
      at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
      at internal/main/run_main_module.js:17:47 {
    reason: TopologyDescription {
      type: 'ReplicaSetNoPrimary',
      setName: 'rs_set',
      maxSetVersion: 2,
      maxElectionId: 7fffffff0000000000000024,
      servers: Map(1) {
        '<ip:port redacted>' => ServerDescription {
          address: '<ip:port redacted>',
          error: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: <ip redacted> is not in the cert's list: 
              at Object.checkServerIdentity (tls.js:297:12)
              at TLSSocket.onConnectSecure (_tls_wrap.js:1507:27)
              at TLSSocket.emit (events.js:315:20)
              at TLSSocket.EventEmitter.emit (domain.js:486:12)
              at TLSSocket._finishInit (_tls_wrap.js:932:8)
              at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
              at TLSWrap.callbackTrampoline (internal/async_hooks.js:129:14) {
            name: 'MongoNetworkError'
          },
          roundTripTime: -1,
          lastUpdateTime: 680952489,
          lastWriteDate: null,
          opTime: null,
          type: 'Unknown',
          topologyVersion: undefined,
          minWireVersion: 0,
          maxWireVersion: 0,
          hosts: [],
          passives: [],
          arbiters: [],
          tags: []
        }
      },
      stale: false,
      compatible: true,
      compatibilityError: null,
      logicalSessionTimeoutMinutes: null,
      heartbeatFrequencyMS: 10000,
      localThresholdMS: 15,
      commonWireVersion: 8
    }
  },
  isCritical: true,
  level: 'error',
  message: 'Unable to initialize.'
}

      Looking at the logs, I also see the following before this error:

      (node:16513) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
    at Object.connect (_tls_wrap.js:1619:15)
    at makeConnection (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/connection/connect.js:285:20)
    at connect (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/connection/connect.js:30:3)
    at checkServer (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/monitor.js:250:3)
    at /Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/monitor.js:296:5
    at executeAndReschedule (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/utils.js:775:5)
    at makeInterruptableAsyncInterval (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/utils.js:782:5)
    at Monitor.connect (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/monitor.js:105:24)
    at Server.connect (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/server.js:189:20)
    at createAndConnectServer (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/topology.js:869:10)
    at updateServers (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/topology.js:898:22)
    at NativeTopology.serverUpdateHandler (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/topology.js:563:5)
    at Server.emit (events.js:315:20)
    at Server.EventEmitter.emit (domain.js:486:12)
    at Monitor.<anonymous> (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/server.js:151:12)
    at Monitor.emit (events.js:327:22)
    at Monitor.EventEmitter.emit (domain.js:486:12)
    at /Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/sdam/monitor.js:269:13
    at callback (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/connection/connect.js:75:5)
    at /Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/core/connection/connect.js:154:7
    at MessageStream.messageHandler (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/cmap/connection.js:277:5)
    at MessageStream.emit (events.js:315:20)
    at MessageStream.EventEmitter.emit (domain.js:486:12)
    at processIncomingData (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/cmap/message_stream.js:144:12)
    at MessageStream._write (/Users/yenlu/devtools/git/drisk/monorepo/node_modules/mongoose/node_modules/mongodb/lib/cmap/message_stream.js:42:5)
    at writeOrBuffer (_stream_writable.js:352:12)
    at MessageStream.Writable.write (_stream_writable.js:303:10)
    at TLSSocket.ondata (_stream_readable.js:719:22)

      Why is the MongoDB driver converting my properly qualified hostname into an IP? The code works successfully when using mongoose 5.10.8 which uses MongoDB driver 3.6.2.

            Assignee:
            neal.beeken@mongodb.com Neal Beeken
            Reporter:
            yen.lu@scotiabank.com Yen Lu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: