[SERVER-34631] Upgrade error from 3.7.3 to 3.7.5 Created: 24/Apr/18  Updated: 29/Oct/23  Resolved: 04/May/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Juergen Zimmermann Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 10 Ultimate


Issue Links:
Related
related to SERVER-34831 Unable to use a client certificate wi... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2018-05-07
Participants:

 Description   

I tried to upgrade MongoDB from 3.7.3 to 3.7.5 on Windows 10 Ultimate. Since libeay32.dll and ssleay32.dll are not provided in the new ZIP file, I copied them from the 3.7.3 distribution ZIP. I used the same config and also the same PEM file as before. However, I'm getting the following error message in the logfile:

2018-04-24T08:17:13.302+0200 F CONTROL [main] Failed global initialization: InvalidSSLConfiguration: Expected to find 'RSA PRIVATE KEY' in PEM file, found 'PRIVATE KEY' instead.



 Comments   
Comment by Githook User [ 04/May/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-34631 Ensure openssl binaries are in Windows zip
Branch: master
https://github.com/mongodb/mongo/commit/15cc57450b4de8ced936767c8160bc6a7dc3c76a

Comment by Juergen Zimmermann [ 25/Apr/18 ]

Thank you. A certificate without emailAddress works fine.

Comment by Mark Benvenuto [ 24/Apr/18 ]

That OID maps to "emailAddress". We will need to make a fix to handle email address. If you can regenerate the certificate, you should only use the following components.

RFC 2253               LADPv3 Distinguished Names          December 1997
 
 
                    String  X.500 AttributeType
                    ------------------------------
                    CN      commonName
                    L       localityName
                    ST      stateOrProvinceName
                    O       organizationName
                    OU      organizationalUnitName
                    C       countryName
                    STREET  streetAddress
                    DC      domainComponent
                    UID     userid

Comment by Juergen Zimmermann [ 24/Apr/18 ]

Thank you for your immediate response! After converting the key file with OpenSSL and rearranging the pem file I get this error (it's a self-signed cert):

2018-04-24T16:35:13.837+0200 F CONTROL [main] Failed global initialization: InvalidSSLConfiguration: Unknown OID: 1.2.840.113549.1.9.1

Comment by Mark Benvenuto [ 24/Apr/18 ]

As part of the work to switch from OpenSSL to Windows SChannel in 3.7, we did not add support for PRIVATE KEY PEM files since we did not encounter them in our local testing, and since they can be easily converted to RSA PRIVATE KEY PEM files.

To convert the key format from PRIVATE KEY (i.e. PKCS#8 PrivateKeyInfo) to RSA PRIVATE KEY (i.e. PKCS#1 RSAPrivateKey), you will need the openssl.exe command line utility which is available from www.openssl.org. Run
> openssl.exe rsa -in <key>.key -out <out_file>.key

You will need to make a new PEM file from the converted key and your original certificate with the following content

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

If you have the certificate in the Windows Certificate store, you can use Certificate Selectors described in SERVER-32979 instead of PEM key files.

Generated at Thu Feb 08 04:37:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.