[CSHARP-1806] how do you set sslCAFile for MongoDB.Driver Created: 21/Oct/16  Updated: 05/Apr/19  Resolved: 31/Aug/18

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: 2.3
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Tim Gourley Assignee: Unassigned
Resolution: Done Votes: 0
Labels: driver, question
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

windows 10, MongoDB.Driver running in service fabric app. Using connect string for driver config.



 Description   

We have created a self-signed root CA cert, and intermediate CA cert, and a server cert with various subjectaltnames (that map to the hosts in replication)
Since our root cert is not trusted by default we have installed it in all the usual windows trust stores (local user and machine).
This certificate configuration has worked for several clients so we believe it to be ok.

We have configured MondoDB version v3.2.10 like this -

%BINPATH% --replSet %REPLSETNAME% --clusterAuthMode x509 --sslClusterFile %CLUSTERCLIENTCERT% --sslMode requireSSL --sslAllowConnectionsWithoutCertificates --sslPEMKeyFile %KEYFILE% --sslCAFile %CAFILE% --port %PORT% --dbpath=%DBPath% --logpath=%LOGPATH% --serviceName %SERVICENAME% --serviceDisplayName %SERVICENAME% --smallfiles --logappend --auth --install

sslPEMKeyFile does include the full chain, I have seen missing intermediate certs being a problem.

The good -
We have been able to connect various clients, usually by specifying the sslCAFile option (which seems consistent with the documentation)
Robomongo 0.9.0-RC10 also works fine (w/ required sslCAFile option)
For Mongoose we were able to inject our cert into the nodejs trust store.

The bad -
For the MongoDB.Driver (c#) client we are using a connect string that looks like so -

mongodb://somedb:somedb@xxx0,xxx1,xxx2/SomeDB?replicaSet=repset0&ssl=true&readPreference=secondary

The error from the client looks like this -

at MongoDB.Driver.Core.Servers.ServerMonitor.<HeartbeatAsync>d__27.MoveNext()" }, { ServerId: "

Unknown macro: { ClusterId }

", EndPoint: "Unspecified/xxx0:27017", State: "Disconnected", Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

If we turn off certificate validation it works.

I'm pretty confident it is a client side trust issue but I can't seem to figure out how to configure the client in this case.

Is this a gap in functionality, documentation, or do you think running in service fabric is an issue?

For the heck of it we tried adding &sslCAFile=cacerts.pem (and copied the file into the distribution at various places) but it had no effect.

Any guidance would be appreciated.
Tim



 Comments   
Comment by Jeffrey Yemin [ 31/Aug/18 ]

Sorry for dropping the ball on this. We haven't heard of any other users running into this, so I'm going to close this, but please comment back if this is still an issue for you.

Comment by Craig Wilson [ 02/Nov/16 ]

Ok... this is the first report we've had of this not working. Underneath, we are simply using an the SslStream. We'll go ahead and double check on our side and see if we can get it to break.

Craig

Comment by Tim Gourley [ 02/Nov/16 ]

This is windows platform. (windows 10 if it matters)
I've added the signer certs into the machine and current user trust stores but it appears the C# driver is not using them.
It is working for browsers and other apps which use the same certificate stores so I'm confident the certs are in the right stores.
(we had this requirement long before we were using the C# mongo driver)
Anyway, it sounds like you are saying this is a tested scenario and the C# supports it.
If that is the case then I don't know why this would not work in my case since the certs are in the expected trust stores and are found (/trusted) by other applications.
Thanks,
Tim

Comment by Craig Wilson [ 02/Nov/16 ]

Hi Tim,

You manage trusted certificates for the .NET driver the same way you would for any .NET application. Windows contains a trusted certificate store.

Now, I haven't researched how this would be done on other operating systems. Are you asking about windows or linux (or mac)?

Craig

Comment by Tim Gourley [ 24/Oct/16 ]

I've completed testing outside a service fabric environment and see the same issue.
My root question is "how is the trust CA store configured for the C# driver"?
This is configured via the sslCAFile and sslCA options in other drivers/clients.
If it is supposed to use the machine/user trust store, I seem to be having issues configuring so that the driver uses it.
(to be clear, web browsers and other apps are able to validate this root cert, and likewise the chain for the server certs, so I'm pretty confident the cert and trust stores are configured properly)
Thanks,
Tim

Generated at Wed Feb 07 21:40:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.