[COMPASS-5140] Cannot connect to server with Let's Encrypt certs. Created: 05/Oct/21  Updated: 29/Oct/23  Resolved: 09/Nov/21

Status: Closed
Project: Compass
Component/s: Compass, Connectivity
Affects Version/s: 1.28.4
Fix Version/s: 1.29.4

Type: Bug Priority: Critical - P2
Reporter: Jesper van den Ende Assignee: Unassigned
Resolution: Fixed Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB Compass 1.28.4
macOS 11.6


Issue Links:
Depends
Related
related to COMPASS-4098 Upgrade to electron 13 Closed
Documentation Changes: Not Needed

 Description   

Problem Statement/Rationale

Our server is using certificates from Let's Encrypt, but when I try to connect it hangs for a minute or so, before finally giving up with 'certificate has expired'.

Could this be caused by the recent expiry of the Let's Encrypt root certificates? I believe this was working before, though it's been a while since I last connected so I can't tell for sure.

I'm using the SSL value 'System CA / Atlas Deployment', but only 'Unvalidated (insecure)' works.

Is there any way to verify if this is indeed caused by the expiry of the Let's Encrypt Root Cert?

Steps to Reproduce

It's a bit of a lengthy setup, but the gist of it is that we have a DigitalOcean droplet with MongoDB installed. After fetching certs with certbot, a file is generated using

cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/ssl/mongo.pem

This file is referenced in mongod.conf:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongo.pem

Then I try to connect to the database in Compass with SSL set to 'System CA / Atlas Deployment'.

Expected Results

It connects.

Actual Results

'certificate has expired'

 



 Comments   
Comment by Jesper van den Ende [ 25/Oct/21 ]

Thanks!

I can confirm this fixed the issue for me on macOS 

Comment by Anna Henningsen [ 25/Oct/21 ]

jespertheend@gmail.com Sorry, my bad! That's an internal link at this point still. The release artifacts for this (1.29.0-beta.4) are available here though:

macOS:

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDB%20Compass%20Beta.dmg

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDB%20Compass%20Beta.zip

RHEL:

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/mongodb-compass-beta-1.29.0-beta.4-rhel-x64.tar.gz

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/mongodb-compass-beta-1.29.0-beta.4.x86_64.rpm

Ubuntu:

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/mongodb-compass-beta-1.29.0-beta.4-linux-x64.tar.gz

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/mongodb-compass-beta_1.29.0~beta.4_amd64.deb

Windows:

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDB%20Compass%20Beta-windows.zip

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDB%20Compass%20BetaSetup.exe

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDBCompassBeta-1.29.0-beta4-full.nupkg

https://mciuploads.s3.amazonaws.com/10gen-compass-testing/1e4b64d36b1f72cc435aabdcf9f3017d6e404f46/MongoDBCompassBeta.msi

 

Comment by Jesper van den Ende [ 25/Oct/21 ]

The link doesn't work, am I missing something?

There's a few other releases but they only contain the source code.

Comment by Anna Henningsen [ 22/Oct/21 ]

Sorry it took a while, but here's the beta version referenced above: https://github.com/mongodb-js/compass/releases/tag/untagged-35651217119320dab8cd

Comment by Jesper van den Ende [ 06/Oct/21 ]

Thanks for the info Anna! Good to know that this is indeed caused by the root expiration.

Comment by Anna Henningsen [ 06/Oct/21 ]

Hi jespertheend@gmail.com, thanks for the report! Yes, this is due to the letsencrypt root certificate expiration, and I think you’re correct in that using "Unvalidated (insecure)" is the (unfortunate) main workaround here for the time being.

We are planning to release a beta version of Compass next week that should address this – you can follow COMPASS-5125 for progress on that.

Generated at Wed Feb 07 22:38:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.