[SERVER-34278] After Mongo Upgrade: The server certificate does not match the host name on valid wildcard cert Created: 03/Apr/18 Updated: 27/Oct/23 Resolved: 19/Apr/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Konstantin Ivanov | Assignee: | Backlog - Triage Team |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Triage
|
| Participants: |
| Description |
|
I have a valid wildcard cert (e.g. *.domain.com), signed from a CA. Once I upgraded Mongo from 2.6.12 to 3.0.15 trying to connect with the mongo client I get:
The only thing that changed is the Mongo version. Any suggestions to why this is not working ? |
| Comments |
| Comment by Ramon Fernandez Marina [ 19/Apr/18 ] |
|
Further information from a colleague:
|
| Comment by Konstantin Ivanov [ 09/Apr/18 ] |
|
Yes, indeed that was the issue, Thanks for confirming. |
| Comment by Kenneth White [ 09/Apr/18 ] |
|
Agree. Might be worth verifying exactly what the Subject Name (common domain name) and SANs show when connecting (host or IP will work here for the mongod name). Here's a variant of an easy one-liner (works on Linux, not sure about Mac): echo|openssl s_client -connect example.mongodb.net:27017 2>&1 | openssl x509 -noout -text | grep -A1 -i 'Subject:\|Alternative Name' |
| Comment by Konstantin Ivanov [ 03/Apr/18 ] |
|
Is this because the hostname validation is now strictly enforced when specifying the CA file and the wildcard cert cannot validate nor cover the hostname that has multiple levels ? |