I have a Ruby 2.6.0 implementation using mongoid and mongo gems that is configured to use a multi-certificate PEM file defined under :ssl_ca_cert. However, based on testing, the system is only reading the first certificate in the file and ignoring the rest.

I was using verson 2.2.4 of mongo, and also tested version 2.8.0, both of which had issues with authentication using the multi-certificate PEM file. After much experimentation I found the following:

A) setting ENV['SSL_CERT_FILE'] = '<PEM file>' and NOT defining :ssl_ca_cert worked
B) Breaking the certificate file into separate strings and using OpenSSL::X509::Certificate.new() to create individual objects in an array and defining :ssl_ca_cert_object (mongo 2.8.0) worked.

Diving into the code for mongo 2.8.0, when using :ssl_ca_cert, I see the following:

if options[:ssl_ca_cert]
   cert_store.add_cert(OpenSSL::X509::Certificate.new(File.open(options[:ssl_ca_cert])))

Looking at OpenSSL code, I don't see where OpenSSL::X509::Certificate.new() comprehends that the file its reading may contain multiple certificates. Maybe I missed something.

In any case, using either method A or B above worked (as a work-around) but using :ssl_ca_cert as advertised did not.

I am uncertain if this is an issue with openssl, mongo, or mongoid, but believe this is a usage problem in mongo with how openssl is utilized.

Sample testcase (you can fill in the missing pieces):

require 'mongo'

certs = [
OpenSSL::X509::Certificate.new(c1),
OpenSSL::X509::Certificate.new(c2),
OpenSSL::X509::Certificate.new(c3),
OpenSSL::X509::Certificate.new(c4),
OpenSSL::X509::Certificate.new(c5)
]

options = {}
options[:ssl]=true
options[:ssl_verify]=true
options[:ssl_ca_cert_object] = certs
options[:auth_mech]=:scram
options[:database]='database_name'
options[:user]='user_name'
options[:password]='password'

client=Mongo::Client.new(['host1:7901','host2:7901','host3:7901'], options )