[SERVER-21003] mongo shell - SSL certificate not trusted with trusted certificate Created: 19/Oct/15 Updated: 23/Oct/15 Resolved: 22/Oct/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | 3.0.6 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | dducatel | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible | |||||||||||||||||||||
| Operating System: | ALL | |||||||||||||||||||||
| Steps To Reproduce: | I used the official docker image
|
|||||||||||||||||||||
| Sprint: | Security A 10/09/15 | |||||||||||||||||||||
| Participants: |
| Description |
|
I have a problem on MongoDB for using the SSL mode. When I trying to connect on my database, I have this error. (I use a valid certificate from gandi.net )
|
| Comments |
| Comment by Spencer Jackson [ 22/Oct/15 ] | ||||||||||||||||
|
Yay! I'm so glad! It seems that this is documented... https://docs.mongodb.org/manual/tutorial/configure-ssl/ says to configure "[ssl]CAFile with the name of the .pem file that contains the root certificate chain from the Certificate Authority." Still though, if your CA is distributing its certificates like this, it will be very easy to encounter this. Ah, that version of OpenSSL exactly explains the difference between our error messages, thank you. Since your problem seems to be fixed, I'm going to resolve your ticket as "Works as Designed". Cheers! | ||||||||||||||||
| Comment by dducatel [ 22/Oct/15 ] | ||||||||||||||||
|
It's working I just concat the GandiStandardSSLCA2 with AddTrust_External_Root.pem in the sslCAFile. I think the documentation should be updated for this point. It should explain the contained of the sslCAFile. Thanks for your help PS: my openSSL version --> OpenSSL 1.0.1e 11 Feb 2013 | ||||||||||||||||
| Comment by Spencer Jackson [ 22/Oct/15 ] | ||||||||||||||||
|
No problem! I did some digging and I found several points of interest. MongoDB needs you to specify your CA certificate in a single file, and doesn't use the system's global trust store. It looks like openssl verify is willing to grab stuff out of the global store if it has to. Gandi's CA certificates both appear to be intermediary certificates, issued ultimately off of "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", which was included in /etc/ssl/certs on my machine, but was not in the PEM file you linked. So when you use openssl verify on your certificate, it's able to make a chain back to that AddTrust certificate. But, MongoDB shouldn't be able to do this, and should fail to validate the certificate. Some of the error handling in OpenSSL has changed recently, between 1.0.1 and 1.0.2, and I'm not seeing your exact error message. Using a set of intermediate CA certificates I made for testing, I'm getting "unable to get issuer certificate" when I'm missing the root certificate. Can you confirm your version of OpenSSL? My testing suggests the client should be able connect if you add the missing root certificate to your sslCAFile. See if you have /etc/ssl/certs/AddTrust_External_Root.pem on your system. If you do, append its contents to the end of the file you're using in sslCAFile. If you're running the client and server on different computers, make sure the updated file is the same on both systems. Then restart your server, and try running the shell again. If that doesn't work, please send me the error messages, and the output of `openssl x509 -in <path to your public certificate> -text`. Also, it appears that you've posted some bytes of your private key. Be aware that this ticket is publicly visible, and others may see the contents of these comments. Please think about if this might be an issue for you. | ||||||||||||||||
| Comment by dducatel [ 20/Oct/15 ] | ||||||||||||||||
|
Hi, spencer.jackson Thanks for your reply So the Gandi CA and mongodb.pem files are PEM encoded. You can show the Gandi CA file here My mongodb.pem file is like:
And the openssl command didn't throw any errors:
This certificate already work on many instance of apache/nginx.
So do you need other extra information ? | ||||||||||||||||
| Comment by Spencer Jackson [ 19/Oct/15 ] | ||||||||||||||||
|
Hm. dducatel, is your mongob.pem, and your Gandi CA file PEM encoded? You should them contain the following lines if they are:
Your mongodb.pem will also have the following lines:
You should see a bunch of base64 encoded data between each BEGIN and END line. If the files look okay, can you verify that there is a trust relationship between the CA file and the server's PEM file? To do this, use OpenSSL:
Please substitute out the paths if they are different for you. Let me know if that command yields any errors. Thanks! |