[COMPASS-349] Support connecting with self-signed certificates which use a local certificate authority Created: 21/Mar/16  Updated: 10/Jan/24  Resolved: 02/Aug/19

Status: Closed
Project: Compass
Component/s: Connectivity
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Rahul Dhodapkar Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File INT_1302_Compass_1.0.1_connect.png     PNG File compass-ssl.png    
Issue Links:
Related
is related to NODE-782 SSL validation may fail depending on ... Closed

 Description   

Hey Everyone!

Working with a client who set up a local CA to generate their certificates and they want to connect with compass. Their certificates validate properly when connecting with the mongo shell but when trying to connect to compass they get a "self signed certificate" error.

Is there any way to allow connections where the root certificate is a from a local CA? Perhaps I am including the wrong certificates in the certificate chain?



 Comments   
Comment by Ari Rabinowitz [ 10/May/21 ]

Compass does allow connecting to a MongoDB which uses a self-signed certificate, if you fill in the connection fields individually, but not if you paste in a connection string. Why this discrepancy between specifying the fields individually and in a connection string?

Please see my topic in the community Developer Tools forum:
https://developer.mongodb.com/community/forums/t/compass-connection-string-to-connect-to-self-signed-certificate/106438

Thank you, Ari

Comment by Massimiliano Marcon [ 02/Aug/19 ]

May or may not work now, but there has been no activity on the ticket for 2 years so I am closing.

Comment by Lucas Hrabovsky (Inactive) [ 23/May/17 ]

Recent changes to electron should now allow Compass to do this (w/o changes to node.js driver). See dialog.showCertificateTrustDialog()

Related:

Comment by Peter Schmidt [ 16/Nov/16 ]

I think we should retest with at least Compass 1.5.0-beta.3 or later first as time permits.

If this is still not fixed upstream in the nodejs driver, then it may be worthwhile for Compass to spend some time on it, but it would most likely be after we clear many of the other bugs and connectivity issues in our current backlog.

Comment by Rahul Dhodapkar [ 04/Apr/16 ]

Haven't had time to put together a vanilla node.js reproduction of the issue but I created a script that will build a Root CA + Intermediate CA in a configurable directory, which makes it easy to cleanly reproduce the issue.

Give it a try and let me know if you have any trouble getting it to work!

Comment by Rahul Dhodapkar [ 01/Apr/16 ]

matt.kangas

I'm almost certain this is a problem with the core Node library and not Compass or the driver, so I'm going to see if I can build a repro against that directly. Goal for today is to get that together and submit a ticket upstream we can track!

Comment by Matt Kangas [ 01/Apr/16 ]

rahul.dhodapkar - thanks for the update!

Since you are now the expert in this matter - can you please create a way for us to quickly repro both scenarios (e.g. the certs needed plus instructions on how to recreate them), and attach that as a tarball?

We use the version of OpenSSL that is bundled with Electron, so if we want to make any changes in this area, we'll have to submit tickets upstream (either Electron or Node). Being able to clearly repro the issue will be critical for that.

Comment by Rahul Dhodapkar [ 22/Mar/16 ]

Just to close the loop on this - managed to get everything working locally. Turns out I needed to pass only the root CA certificate as the CAFile instead of the root CA + intermediate CA. Procedure was as follows:

  1. create Root (self-signed) CA
  2. create Intermediary CA (signed by Root CA)
  3. create mongod server cert (signed by Intermediary CA)
  4. create client cert (signed by Intermediary CA)
  5. pass Compass Root CA cert as CAFile and client cert + private key to use Compass with "Server and Client Validation"

I suppose that this is due to some inconsistency between the "tls" package used by the node driver and the shell's connection handling code. Not sure which is the preferred behavior.

EDIT: the shell's connection behavior is the expected behavior and the one displayed by vanilla openssl. The driver's TLS management is handled by the core library packaged with Node.JS so we should use the workaround I described until it is patched.

Comment by Rahul Dhodapkar [ 21/Mar/16 ]

matt.kangas

Used the UI you recommended but got the following error from Compass -

The same CAFile validates properly using the shell - (also tried with the Client Certificate / Client Private Key used from the shell)

Comment by Rahul Dhodapkar [ 21/Mar/16 ]

christkv -

It seems like the Node.JS driver gives the same error - Would one perhaps have to add the certificate chain to the OS cert store? Using

sslValidate: false

allows everything to connect properly, but ideally we would like to validate the certificates presented against the locally generated CAFile

Comment by Matt Kangas [ 21/Mar/16 ]

Hi rahul.dhodapkar,

Here is a screenshot of the Compass v1.0.1 connect dialog which shows how you specify a CA file. Notice that you have to choose an SSL mode first.

Are you able to successfully connect using this information?

Related usability improvement request: COMPASS-33

Generated at Wed Feb 07 22:24:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.