[SERVER-21003] mongo shell - SSL certificate not trusted with trusted certificate Created: 19/Oct/15  Updated: 23/Oct/15  Resolved: 22/Oct/15

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: 3.0.6
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: dducatel Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

I used the official docker image

dockerfile

FROM mongo
 
ADD mongod-config.yml /etc/mongodb/mongod
 
ADD wildcart.plop.com.crt /etc/ssl/certs/wildcart.plop.com.crt
ADD wildcart.plop.com.key /etc/ssl/private/wildcart.plop.com.key
ADD GandiStandardSSLCA2.pem /usr/local/share/ca-certificates/gandi.net /GandiStandardSSLCA2.crt # come from https://wiki.gandi.net/en/ssl/intermediate
RUN/etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt > /etc/ssl/certs/mongodb.pem && \
rm /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt && \
update-ca-certificates && \
c_rehash
 
CMD ["mongod", "--replSet", "plop", "--config", "/etc/mongodb/mongod"]

/etc/mongodb/mongod

net:
    ssl:
        mode: requireSSL
        PEMKeyFile: /etc/ssl/certs/mongodb.pem
        CAFile: /etc/ssl/certs/GandiStandardSSLCA2.pem
        allowConnectionsWithoutCertificates: true

Sprint: Security A 10/09/15
Participants:

 Description   

I have a problem on MongoDB for using the SSL mode. When I trying to connect on my database, I have this error. (I use a valid certificate from gandi.net )

Mongo shell connexion error

mongo --ssl --sslCAFile /etc/ssl/certs/GandiStandardSSLCA2.pem  --host plip.plop.com
 
MongoDB shell version: 3.0.6
connecting to: plip.plop.com:27017/test
2015-10-16T10:24:23.122+0000 E NETWORK  SSL peer certificate validation failed:certificate not trusted
2015-10-16T10:24:23.126+0000 E QUERY    Error: socket exception [CONNECT_ERROR] for
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181

Mongo server response

2015-10-16T10:26:53.034+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.227:48786 #1 (1 connection now open)
2015-10-16T10:26:53.046+0000 W NETWORK  [conn1] no SSL certificate provided by peer
2015-10-16T10:26:53.046+0000 I NETWORK  [conn1] end connection 172.17.0.227:48786 (0 connections now open)



 Comments   
Comment by Spencer Jackson [ 22/Oct/15 ]

Yay! I'm so glad!

It seems that this is documented... https://docs.mongodb.org/manual/tutorial/configure-ssl/ says to configure "[ssl]CAFile with the name of the .pem file that contains the root certificate chain from the Certificate Authority." Still though, if your CA is distributing its certificates like this, it will be very easy to encounter this.

Ah, that version of OpenSSL exactly explains the difference between our error messages, thank you.

Since your problem seems to be fixed, I'm going to resolve your ticket as "Works as Designed".

Cheers!

Comment by dducatel [ 22/Oct/15 ]

It's working

I just concat the GandiStandardSSLCA2 with AddTrust_External_Root.pem in the sslCAFile.

I think the documentation should be updated for this point. It should explain the contained of the sslCAFile.

Thanks for your help

PS: my openSSL version --> OpenSSL 1.0.1e 11 Feb 2013
PS2: it isn't a real private key

Comment by Spencer Jackson [ 22/Oct/15 ]

No problem!

I did some digging and I found several points of interest. MongoDB needs you to specify your CA certificate in a single file, and doesn't use the system's global trust store. It looks like openssl verify is willing to grab stuff out of the global store if it has to. Gandi's CA certificates both appear to be intermediary certificates, issued ultimately off of "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", which was included in /etc/ssl/certs on my machine, but was not in the PEM file you linked. So when you use openssl verify on your certificate, it's able to make a chain back to that AddTrust certificate. But, MongoDB shouldn't be able to do this, and should fail to validate the certificate.

Some of the error handling in OpenSSL has changed recently, between 1.0.1 and 1.0.2, and I'm not seeing your exact error message. Using a set of intermediate CA certificates I made for testing, I'm getting "unable to get issuer certificate" when I'm missing the root certificate. Can you confirm your version of OpenSSL?

My testing suggests the client should be able connect if you add the missing root certificate to your sslCAFile. See if you have /etc/ssl/certs/AddTrust_External_Root.pem on your system. If you do, append its contents to the end of the file you're using in sslCAFile. If you're running the client and server on different computers, make sure the updated file is the same on both systems. Then restart your server, and try running the shell again.

If that doesn't work, please send me the error messages, and the output of `openssl x509 -in <path to your public certificate> -text`.

Also, it appears that you've posted some bytes of your private key. Be aware that this ticket is publicly visible, and others may see the contents of these comments. Please think about if this might be an issue for you.

Comment by dducatel [ 20/Oct/15 ]

Hi, spencer.jackson

Thanks for your reply

So the Gandi CA and mongodb.pem files are PEM encoded. You can show the Gandi CA file here

My mongodb.pem file is like:

/etc/ssl/mongodb.pem

-----BEGIN RSA PRIVATE KEY-----
.........
.........
.........
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
.........
.........
.........
-----END CERTIFICATE-----

And the openssl command didn't throw any errors:

openssl verify -verbose -CAfile /etc/ssl/certs/GandiStandardSSLCA2.pem /etc/ssl/certs/mongodb.pem
/etc/ssl/certs/mongodb.pem: OK

This certificate already work on many instance of apache/nginx.
When I'm trying investigate a little bit more with the following command, I have a correct response.

 openssl s_client -CApath /etc/ssl/certs/ -connect plip.plop.com:27017
.....
 Verify return code: 0 (ok)

So do you need other extra information ?

Comment by Spencer Jackson [ 19/Oct/15 ]

Hm. dducatel, is your mongob.pem, and your Gandi CA file PEM encoded? You should them contain the following lines if they are:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Your mongodb.pem will also have the following lines:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

You should see a bunch of base64 encoded data between each BEGIN and END line.

If the files look okay, can you verify that there is a trust relationship between the CA file and the server's PEM file? To do this, use OpenSSL:

openssl verify -verbose -CAfile /etc/ssl/certs/GandiStandardSSLCA2.pem /etc/ssl/certs/mongodb.pem

Please substitute out the paths if they are different for you. Let me know if that command yields any errors. Thanks!

Generated at Thu Feb 08 03:55:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.