[SERVER-27832] Unable to get TLS connection to work with mongoS Created: 27/Jan/17  Updated: 02/Feb/17  Resolved: 02/Feb/17

Status: Closed
Project: Core Server
Component/s: Admin, Security
Affects Version/s: 3.0.2
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Mike Shaw Assignee: Mark Agarunov
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Zip Archive MongoIssue.zip    
Participants:

 Description   

Hello there,

I'm trying to get Node JS application to connect to mongos but it fails when I set requireSSL on the mongos service
Windows 2012 R2
Mongo 3.0.2

I have used openSSL to create CA certificate, server certificate and client certificate and updated mongo.conf file on my MongoD server (Server=mzapp1)

	mode: requireSSL
	PEMKeyFile: "C:\\Mongo\\Certificates\\mzapp1.pem"
	CAFile: "C:\\Mongo\\Certificates\\MikeTestCA.pem"

On my MongoS server I have setup config file

	mode: requireSSL
	PEMKeyFile: "C:\\Mongo\\Certificates\\mzweb1.pem"
	CAFile: "C:\\Mongo\\Certificates\\MikeTestCA.pem"

On the NodeJS service also running on mzweb1 server, I am connecting using:

    hostname: "mzweb1",
    port: 27017,
    ssl: true,
    sslCA: require('fs').readFileSync("C:\\Mongo\\Certificates\\MikeTestCA.pem"),
    sslValidate: true,
    sslKey: require('fs').readFileSync("C:\\Mongo\\Certificates\\client.pem"),
    sslCert: require('fs').readFileSync("C:\\Mongo\\Certificates\\client.pem")

With this configuration I get error in MongoS log file when I try to connect using NodeJS

"NETWORK  [conn6] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections"

If I go to command prompt on mzweb1 and run mongo shell, then it connects fine using the following sytax, which seems to imply my MongoS setup is OK

	C:\Mongo\MongoDB\bin\mongo --ssl --sslPEMKeyFile C:\Mongo\Certificates\client.pem --sslCAFile C:\Mongo\Certificates\MikeTestCA.pem -host mzweb1 -port 27017

However if I change the NodeJS application to point directly to the mongoD by changing host/port to mzapp1/27018 then it also connects fine, which seems to indicate the Client.PEM file is OK, so am confused why I am getting issues only when connecitng NodeJS to MongoS

My workaround at the moment is to leave my NodeJS pointing at MongoS, but changing MongoS to "mode: preferSSL" but obviously would prefer to have everything setup for TLS (and understand better how MongoS is working!)

Can any one advise ?

Thanks



 Comments   
Comment by Mike Shaw [ 02/Feb/17 ]

You are right problem solved, sorry I missed such a basic setup issue.

Thanks for the help.

Comment by Mark Agarunov [ 01/Feb/17 ]

Hello mikeshaw,

Thank you for providing these files. After looking over the logs and configuration, I think I may have spotted the issue. In the node.js configuration you've provided the SSL settings look to be correct, however the mongos object is empty. As referenced in the documentation (near the end of the page), when connecting to a mongos instance, the SSL configuration should go inside the mongos object.

Currently you have the following configuration:

 
mongodb: {
   options: {
      db: {
         w: 1
      },
      server: {
         ssl: true,
         sslCA: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\MikeTestCA.pem"),
         sslValidate: true,
         sslKey: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem"),
         sslCert: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem")
      },
      replSet: {
      },
      mongos: {
      }
   }
},

Instead, when connecting to a mongos instance, the configuration would look something like this:

 
mongodb: {
   options: {
      db: {
         w: 1
      },
      server: {
         ssl: true,
         sslCA: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\MikeTestCA.pem"),
         sslValidate: true,
         sslKey: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem"),
         sslCert: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem")
      },
      replSet: {
      },
      mongos: {
         ssl: true,
         sslCA: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\MikeTestCA.pem"),
         sslValidate: true,
         sslKey: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem"),
         sslCert: require('fs').readFileSync("C:\\install\\Syracuse\\syracuse\\certs\\mongodb\\CLI_client.pem")
      }
   }
},

Please note that SERVER project is for reporting bugs or feature suggestions for the MongoDB server. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag. A question like this involving more discussion would be best posted on the mongodb-user group.

Thanks,
Mark

Comment by Mike Shaw [ 01/Feb/17 ]

Thanks for the response, have attached ZIP file with config and logs

Comment by Mike Shaw [ 01/Feb/17 ]

Thanks for the response. Have attached config and log files. See README.txt in ZIP file

Comment by Mark Agarunov [ 30/Jan/17 ]

Hello mikeshaw,

Thank you for the report. Reading over your description and provided output, I suspect that the issue you are seeing may lie in the configuration. Please provide the following, if possible, so that we can get a better idea of the problem:

  • Logs from mongod
  • Logs from mongos
  • Any logs from NodeJS that may pertain to the issue.
  • The full configuration files for mongod and mongos
  • The full configuration for the connection in NodeJS

Thanks,
Mark

Generated at Thu Feb 08 04:16:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.