[COMPASS-349] Support connecting with self-signed certificates which use a local certificate authority Created: 21/Mar/16 Updated: 10/Jan/24 Resolved: 02/Aug/19 |
|
| Status: | Closed |
| Project: | Compass |
| Component/s: | Connectivity |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Rahul Dhodapkar | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
Hey Everyone! Working with a client who set up a local CA to generate their certificates and they want to connect with compass. Their certificates validate properly when connecting with the mongo shell but when trying to connect to compass they get a "self signed certificate" error. Is there any way to allow connections where the root certificate is a from a local CA? Perhaps I am including the wrong certificates in the certificate chain? |
| Comments |
| Comment by Ari Rabinowitz [ 10/May/21 ] | |
|
Compass does allow connecting to a MongoDB which uses a self-signed certificate, if you fill in the connection fields individually, but not if you paste in a connection string. Why this discrepancy between specifying the fields individually and in a connection string? Please see my topic in the community Developer Tools forum: Thank you, Ari | |
| Comment by Massimiliano Marcon [ 02/Aug/19 ] | |
|
May or may not work now, but there has been no activity on the ticket for 2 years so I am closing. | |
| Comment by Lucas Hrabovsky (Inactive) [ 23/May/17 ] | |
|
Recent changes to electron should now allow Compass to do this (w/o changes to node.js driver). See dialog.showCertificateTrustDialog() Related: | |
| Comment by Peter Schmidt [ 16/Nov/16 ] | |
|
I think we should retest with at least Compass 1.5.0-beta.3 or later first as time permits. If this is still not fixed upstream in the nodejs driver, then it may be worthwhile for Compass to spend some time on it, but it would most likely be after we clear many of the other bugs and connectivity issues in our current backlog. | |
| Comment by Rahul Dhodapkar [ 04/Apr/16 ] | |
|
Haven't had time to put together a vanilla node.js reproduction of the issue but I created a script that will build a Root CA + Intermediate CA in a configurable directory, which makes it easy to cleanly reproduce the issue. Give it a try and let me know if you have any trouble getting it to work! | |
| Comment by Rahul Dhodapkar [ 01/Apr/16 ] | |
|
I'm almost certain this is a problem with the core Node library and not Compass or the driver, so I'm going to see if I can build a repro against that directly. Goal for today is to get that together and submit a ticket upstream we can track! | |
| Comment by Matt Kangas [ 01/Apr/16 ] | |
|
rahul.dhodapkar - thanks for the update! Since you are now the expert in this matter - can you please create a way for us to quickly repro both scenarios (e.g. the certs needed plus instructions on how to recreate them), and attach that as a tarball? We use the version of OpenSSL that is bundled with Electron, so if we want to make any changes in this area, we'll have to submit tickets upstream (either Electron or Node). Being able to clearly repro the issue will be critical for that. | |
| Comment by Rahul Dhodapkar [ 22/Mar/16 ] | |
|
Just to close the loop on this - managed to get everything working locally. Turns out I needed to pass only the root CA certificate as the CAFile instead of the root CA + intermediate CA. Procedure was as follows:
I suppose that this is due to some inconsistency between the "tls" package used by the node driver and the shell's connection handling code. Not sure which is the preferred behavior. EDIT: the shell's connection behavior is the expected behavior and the one displayed by vanilla openssl. The driver's TLS management is handled by the core library packaged with Node.JS so we should use the workaround I described until it is patched. | |
| Comment by Rahul Dhodapkar [ 21/Mar/16 ] | |
|
Used the UI you recommended but got the following error from Compass - The same CAFile validates properly using the shell - (also tried with the Client Certificate / Client Private Key used from the shell) | |
| Comment by Rahul Dhodapkar [ 21/Mar/16 ] | |
|
christkv - It seems like the Node.JS driver gives the same error - Would one perhaps have to add the certificate chain to the OS cert store? Using
allows everything to connect properly, but ideally we would like to validate the certificates presented against the locally generated CAFile | |
| Comment by Matt Kangas [ 21/Mar/16 ] | |
|
Hi rahul.dhodapkar, Here is a screenshot of the Compass v1.0.1 connect dialog which shows how you specify a CA file. Notice that you have to choose an SSL mode first.
Are you able to successfully connect using this information? Related usability improvement request: COMPASS-33 |