[DOCS-13339] CAFile (maybe) needed for SSL enabled servers Created: 13/Jan/20  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: Henrik Ingo (Inactive) Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: docs-security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

Description

https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-tls-ssl-certificate-and-key

The manual page on configuring SSL suggests that the CAFile option is not needed for the basic configuration, only if configuring the server to use client certificates. I recently configured a MongoDB server with a commercial "real" SSL certificate, and I'm pretty sure the CAFile was required to make it work at all.

The specific error was

connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :

The way I understand it, the CAFile is needed to establish the chain between the certificateKeyFile and whatever root certificates are installed on the operating system and recognized by OpenSSL. Therefore it is somewhat operating system dependent whether the issuer of a certificateKeyFile is directly trusted by a given operating system, but in the general case it is not the case, rather the CAFile bridges the gap from one to the other.

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Mark Benvenuto [ 15/Jan/20 ]

I agree with you ravind.kumar to hedge your bets by saying you should either have the intermediate+roots in either a CAFile/CAClusterFile PEM file or the system certificate store. Why it is possible to run mongodb without a CAFile, it is simply not something we should recommend as it means you have to disable certificate validation on the client or server. It means you have a valid TLS connection but you cannot be sure who you are talking to.

The reason why it failed for henrik.ingo, is that the CA probably provided him with an intermediate cert that the system did not have an so the server could not send the complete certificate chain. The CA's rarely sign certs with their root certificate. They usually use intermediate certs to sign end-user certs.

Comment by Henrik Ingo (Inactive) [ 13/Jan/20 ]

> Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile

You could also hedge a bit with language like "if you got a ca-file along with your certificate, you should provide it via the CAFile option".

Comment by Ravind Kumar (Inactive) [ 13/Jan/20 ]

mark.benvenuto@mongodb.com sara.golemon this feels somewhat related to the discussions and work done on DOCSP-7310.

Our docs are actually not particularly precise as to when the CAFile or ClusterCAFile options should be specified - the update in DOCSP-7310 at least makes it slightly clearer when using the certificateSelector options to place everything into the system store, but if specifying the keyFile manually, based on the observations above I'm guessing that CAFile / ClusterCAFile are necessary for any TLS/SSL cert not signed by a root CA already in the OS system store by default?

 

Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile or the system store (if using certificateSelector) , rather than assuming the OS might have the cert by default?

Generated at Thu Feb 08 08:07:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.