Details
-
Bug
-
Resolution: Done
-
Minor - P4
-
None
-
6.0.3
-
None
-
Server Security
-
ALL
-
Security 2023-01-23
Description
My configuration look like this:
net:
|
port: 27019
|
bindIpAll: true
|
ipv6: true
|
tls:
|
mode: preferTLS
|
certificateKeyFile: /home/mongod/mipmdb.pem
|
clusterCAFile: /etc/ssl/certs/ca-bundle.crt
|
allowConnectionsWithoutCertificates: true
|
|
|
security:
|
authorization: enabled
|
keyFile: /home/mongod/.mongo.key
|
Documentation says:
If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.
If using x.509 authentication, -tlsCAFile or tls.CAFile must be specified unless using -tlsCertificateSelector.
Despite the logfile shows this warning at startup:
{
|
"t": {"$date": "2022-12-19T08:37:18.220+01:00"}, |
"s": "W", |
"c": "CONTROL", |
"id": 22133, |
"ctx": "initandlisten", |
"msg": "No client certificate validation can be performed since no CA file has been provided. Please specify an sslCAFile parameter" |
}
|
|
So, either documentation is wrong, or mongod failed to use the system-wide CA certificate store
Attachments
Issue Links
- is related to
-
SERVER-72839 Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
-
- Closed
-
-
SERVER-72846 Fix misleading startup warning about client certificate validation
-
- Closed
-