|
Certificates in drivers-evergreen-tools were regenerated with SHA256 a few years ago for DRIVERS-575.
mongo-orchestration is still using an old client.pem cert, which dates back seven years to 10gen/mongo-orchestration@60ab9d2. This cert appears to be injected into every internal PyMongo client whenever a configuration uses sslParams (see: common.py, sharded_clusters.py).
On my local system (Python 3.8.10, OpenSSL 1.1.1f), attempting to start an SSL cluster (e.g. load-balancer-ssl.json) emits the following error:
Traceback (most recent call last):
|
File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 128, in get_ssl_context
|
ctx.load_cert_chain(certfile, keyfile, passphrase)
|
ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
|
|
During handling of the above exception, another exception occurred:
|
|
Traceback (most recent call last):
|
...
|
File "/home/jmikola/.local/lib/python3.8/site-packages/pymongo/ssl_support.py", line 130, in get_ssl_context
|
raise ConfigurationError(
|
pymongo.errors.ConfigurationError: Private key doesn't match certificate: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4046)
|
Presumably, this can be fixed by regenerating the certificate in the mongo-orchestration repository, or just copying over one of the existing certs from drivers-evergreen-tools' x509gen directory.
|