[CSHARP-3508] ATLAS AuthenticationException: The remote certificate is invalid according to the validation procedure Created: 30/Mar/21  Updated: 27/Oct/23  Resolved: 07/Apr/21

Status: Closed
Project: C# Driver
Component/s: Connectivity, Security
Affects Version/s: 2.10.3
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: James Price Assignee: Robert Stam
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows Server 2019
C# 4.6.1
MongoDB Driver 2.10.3
ATLAS cluster



 Description   

When connecting to ATLAS cluster from a secure server we're receiving the following error:

Exception encountered: A timeout occured after 30000ms selecting a server using CompositeServerSelector{ Selectors = MongoDB.Driver.MongoClient+AreSessionsSupportedServerSelector, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 } }. Client view of cluster state is { ClusterId : "2", ConnectionMode : "Automatic", Type : "Unknown", State : "Disconnected", Servers : [{ ServerId: "{ ClusterId : 2, EndPoint : "Unspecified/MYCLUSTERNAME-shard-00-00.34sww.mongodb.net:27017" }", EndPoint: "Unspecified/MYCLUSTERNAME-shard-00-00.34sww.mongodb.net:27017", State: "Disconnected", Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

 

Our source looks like this:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
 
var settings = new MongoClientSettings
{
    ApplicationName = "iApply",
    ConnectionMode = ConnectionMode.Automatic,
    Server = new MongoServerAddress(clusterSVRHostnmae),
    Credential = MongoCredential.CreateCredential(authDb, username, password),
    Scheme = ConnectionStringScheme.MongoDBPlusSrv,
    UseTls = true,
    GuidRepresentation = GuidRepresentation.CSharpLegacy
};
 
// settings.SslSettings = new SslSettings
// {
//     CheckCertificateRevocation = true // <= this causes timeout on servers with restricted connectivity!!!
// };
 
var client = new MongoClient(settings);
var db = client.GetDatabase("databaseName");

As it's caused problems in the past, we've commented out `CheckCertificateRevocation` as we've seen this cause timeouts. However in this case, it's not helping.

We DO NOT want to disable certificate validation in production for obvious security reasons.

 

Things we've tried:

  • We've ensured all IP Addresses are whitelisted.
  • We CAN connect from Compass from the SAME server.
  • We CAN telnet to one of the resolved IP addresses on port 27017 from the same server.
  • The C# code DOES work from other servers, but not this one (production).


 Comments   
Comment by Robert Stam [ 07/Apr/21 ]

Thanks for letting us know. We will close this ticket based on your update.

Comment by James Price [ 01/Apr/21 ]

Apparently the AZURE server that was commissioned for us we missing a few Root CA certificates.

The important one being the "DST Root CA X3" certificate.

After installing this root CA, we're now able to successfully connect to Atlas and verify the certificate.

Generated at Wed Feb 07 21:45:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.