[CDRIVER-2153] mongoc_client_pool_t cannot connect to MongoDB Atlas Created: 07/May/17  Updated: 28/Oct/23  Resolved: 10/May/17

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.5.5, 1.6.2
Fix Version/s: 1.6.3, 1.7.0

Type: Bug Priority: Blocker - P1
Reporter: Hannes Magnusson Assignee: Hannes Magnusson
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to CDRIVER-948 TLS / SSL connections fail in pooled ... Closed
related to CXX-1332 Mongo-CXX-Driver failed to connect to... Closed
related to CDRIVER-467 Impossible to connect with ssl=true w... Closed
related to CDRIVER-2154 SNI not provided when allow_invalid_h... Closed
related to CDRIVER-933 mongoc_ssl_opt_get_default changed in... Closed
related to CDRIVER-935 mongoc_client_set_ssl_opts should req... Closed

 Description   

bjori@TaylorSwift  ~/Sources/mongoc   master  ./mongoc-ping "mongodb://user:pass@hqpics-shard-00-00-uwkcc.mongodb.net:27017,hqpics-shard-00-01-uwkcc.mongodb.net:27017,hqpics-shard-00-02-uwkcc.mongodb.net:27017/?ssl=true&replicaSet=HQPics-shard-0&authSource=admin"
{ "ok" : { "$numberInt" : "1" } }
 bjori@TaylorSwift  ~/Sources/mongoc   master  ./example-pool "mongodb://user:pass@hqpics-shard-00-00-uwkcc.mongodb.net:27017,hqpics-shard-00-01-uwkcc.mongodb.net:27017,hqpics-shard-00-02-uwkcc.mongodb.net:27017/?ssl=true&replicaSet=HQPics-shard-0&authSource=admin"
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']
No suitable servers found: `serverSelectionTimeoutMS` expired: [Server closed connection. calling ismaster on 'hqpics-shard-00-00-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-01-uwkcc.mongodb.net:27017'] [Server closed connection. calling ismaster on 'hqpics-shard-00-02-uwkcc.mongodb.net:27017']



 Comments   
Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-2153-pool-ssl'

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-2153-pool-ssl'

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-2153-pool-ssl'

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-2153-pool-ssl'

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-2153-pool-ssl'

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-2153 Install our custom CA to the system trust store

This will only work on certain ubuntu versions
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/ca97a9164cdc7851cb07457b9e597498b8264e02

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-2153 Add SNI support for the mock server
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/97dddf96ff1a83d0d6cddac72877bd65ece688b6

Comment by Githook User [ 09/May/17 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-2153 mongoc_client_pool_t cannot connect to MongoDB Atlas

Also add support for setting the ssl_opts through the URI in pool mode
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/64d0abf4720475e50bc5c3ac8c125a65c9cb3e36

Comment by aarti parikh [ 09/May/17 ]

I have some good news. I did not use your branch but I copied over the patch you put in namely these lines below + the defines when I create the pool and it WORKS great! I am off to using Atlas. Thank you much.

        mongoc_ssl_opt_t ssl_opts = { 0 };
        ssl_opts.pem_file = mongoc_uri_get_option_as_utf8( uri, MONGOC_URI_SSLCLIENTCERTIFICATEKEYFILE, NULL);
        ssl_opts.pem_pwd = mongoc_uri_get_option_as_utf8( uri, MONGOC_URI_SSLCLIENTCERTIFICATEKEYPASSWORD, NULL);
        ssl_opts.ca_file = mongoc_uri_get_option_as_utf8 ( uri, MONGOC_URI_SSLCERTIFICATEAUTHORITYFILE, NULL);
        ssl_opts.weak_cert_validation = mongoc_uri_get_option_as_bool (uri, MONGOC_URI_SSLALLOWINVALIDCERTIFICATES, false);
        ssl_opts.allow_invalid_hostname = mongoc_uri_get_option_as_bool (uri, MONGOC_URI_SSLALLOWINVALIDHOSTNAMES, false);
        mongoc_client_pool_set_ssl_opts(pool, &ssl_opts);

Comment by Hannes Magnusson [ 08/May/17 ]

No, enabling weak_cert_validate and/or invalid_hostname will prevent you from connecting to atlas.

If you have the means to compile from git and willing to try out my fix for this issue, could you try my "CDRIVER-2153-pool-ssl" branch on https://github.com/bjori/mongo-c-driver/tree/CDRIVER-2153-pool-ssl ?

Something like

git clone --branch CDRIVER-2153-pool-ssl git@github.com:bjori/mongo-c-driver.git
cd CDRIVER-2153-pool-ssl
./autogen.sh --disable-automatic-init-and-cleanup --with-libbson=bundled
make && make install

Comment by aarti parikh [ 08/May/17 ]

I am not connecting to localhost, but to my atlas instance. I did not want to share my Atlas credentials on a public JIRA board. Do you think adding the weak_cert_validation +hostname flags would allow me to connect and iterate through the collection, If so I can try that.

Comment by Hannes Magnusson [ 08/May/17 ]

aarti Are you actually connecting to localhost in your example? I believe it "hangs" due to not being able to verify the certificate in your example.

I did discover another Atlas related bug, in that if you disable certificate verification (e.g. set mongoc_ssl_opt_t.weak_cert_validation = true, or .allow_invalid_hostname = true) then we don't actually send the SNI which will result in an error in Atlas. See CDRIVER-2154. But as it would be dangerous to run such configuration in production that issue should not affect lot of people

Comment by aarti parikh [ 07/May/17 ]

I have tried all sorts of options to get the pool to work with a cursor but no luck. I modified your sample code to simply make one call with the pool and to print the results, but it hangs.

/* gcc example-pool.c -o example-pool $(pkg-config --cflags --libs
 * libmongoc-1.0) */
 
/* ./example-pool [CONNECTION_STRING] */
 
#include <mongoc.h>
#include <stdio.h>
 
 
static void
print_all_documents (mongoc_collection_t *collection)
{
    mongoc_cursor_t *cursor;
    const bson_t *doc;
    bson_error_t error;
    bson_t *query = BCON_NEW("state", BCON_INT32 (0));
    char *str;
    bson_t *opts;
    mongoc_read_prefs_t *read_prefs;
    
    opts = BCON_NEW ("exhaust", BCON_BOOL (true));
    read_prefs = mongoc_read_prefs_new (MONGOC_READ_PRIMARY);
    cursor = mongoc_collection_find_with_opts (collection, query, opts, read_prefs);
 
    
    if (mongoc_cursor_next (cursor, &doc)) {
        str = bson_as_json (doc, NULL);
        printf ("%s\n", str);
        bson_free (str);
    }
    
    if (mongoc_cursor_error (cursor, &error)) {
        fprintf (stderr, "Failed to iterate all documents: %s\n", error.message);
    }
    
    mongoc_cursor_destroy (cursor);
}
 
 
int
main (int argc, char *argv[])
{
    const char *uristr = "localhost:127.0.0.1";
    mongoc_uri_t *uri;
    mongoc_client_pool_t *pool;
    mongoc_client_t *client;
    mongoc_database_t    *database;
    mongoc_collection_t  *collection;
    mongoc_init ();
    
    if (argc > 1) {
        uristr = argv[1];
    }
    
    // Test without Pool
//    client = mongoc_client_new(uristr);
//    database = mongoc_client_get_database (client, "accounts");
//    collection = mongoc_client_get_collection (client, "accounts", "users");
//    print_all_documents(collection);
    
    // Test with Pool
    uri = mongoc_uri_new (uristr);
    pool = mongoc_client_pool_new (uri);
    mongoc_client_pool_set_ssl_opts (pool, mongoc_ssl_opt_get_default ());
    client = mongoc_client_pool_pop (pool);
    database = mongoc_client_get_database (client, "accounts");
    collection = mongoc_client_get_collection (client, "accounts", "users");
    print_all_documents(collection);
    mongoc_client_pool_destroy (pool);
    mongoc_uri_destroy (uri);
    mongoc_cleanup ();
    return 0;
}

Comment by aarti parikh [ 07/May/17 ]

I added the ssl options and now this works for the `ping` requests but fails for mongo_cursor calls. I no longer get the `Server closed connection. calling ismaster` but I am still seeing

Domain: 15, Error Code: 13053, Message: No suitable servers found: `serverSelectionTimeoutMS` expired] 

when I try to iterate through a cursor.

I am running the standard example code to print all documents in a collection. http://mongoc.org/libmongoc/current/cursors.html

When running through the debugger this fails with a mongoc_cursor_error

if (mongoc_cursor_error (cursor, &error)) {
      fprintf (stderr, "Failed to iterate all documents: %s\n", error.message);
   }

Note: The same code to print documents work with a client that does not use a pool.

Comment by Hannes Magnusson [ 07/May/17 ]

It looks like mongoc_client_pool_t is somehow not picking up the ssl setting from the connection uri.

Adding a call to mongoc_client_pool_set_ssl_opts will explicitly tell the pool to use ssl.

mongoc_client_pool_t *pool = mongoc_client_pool_new (uri);
mongoc_client_pool_set_ssl_opts (pool, mongoc_ssl_opt_get_default ());

Can you confirm that this workaround works for you aleksandr9809@gmail.com, aarti

Generated at Wed Feb 07 21:14:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.