[DOCS-13339] CAFile (maybe) needed for SSL enabled servers Created: 13/Jan/20 Updated: 30/Oct/23 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Server |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Henrik Ingo (Inactive) | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | docs-security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: | |
| Days since reply: | 1 year, 14 weeks, 2 days ago |
| Epic Link: | DOCSP-1769 |
| Description |
| Comments |
| Comment by Education Bot [ 31/Oct/22 ] |
|
Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you! |
| Comment by Mark Benvenuto [ 15/Jan/20 ] |
|
I agree with you ravind.kumar to hedge your bets by saying you should either have the intermediate+roots in either a CAFile/CAClusterFile PEM file or the system certificate store. Why it is possible to run mongodb without a CAFile, it is simply not something we should recommend as it means you have to disable certificate validation on the client or server. It means you have a valid TLS connection but you cannot be sure who you are talking to. The reason why it failed for henrik.ingo, is that the CA probably provided him with an intermediate cert that the system did not have an so the server could not send the complete certificate chain. The CA's rarely sign certs with their root certificate. They usually use intermediate certs to sign end-user certs. |
| Comment by Henrik Ingo (Inactive) [ 13/Jan/20 ] |
|
> Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile You could also hedge a bit with language like "if you got a ca-file along with your certificate, you should provide it via the CAFile option". |
| Comment by Ravind Kumar (Inactive) [ 13/Jan/20 ] |
|
mark.benvenuto@mongodb.com sara.golemon this feels somewhat related to the discussions and work done on DOCSP-7310. Our docs are actually not particularly precise as to when the CAFile or ClusterCAFile options should be specified - the update in DOCSP-7310 at least makes it slightly clearer when using the certificateSelector options to place everything into the system store, but if specifying the keyFile manually, based on the observations above I'm guessing that CAFile / ClusterCAFile are necessary for any TLS/SSL cert not signed by a root CA already in the OS system store by default?
Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile or the system store (if using certificateSelector) , rather than assuming the OS might have the cert by default? |