[SERVER-35370] network error while attempting to run command 'isMaster' on host mongo.example.com Created: 02/Jun/18  Updated: 27/Oct/23  Resolved: 13/Jun/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.6.3
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Ali Assignee: Nick Brewer
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-39480 Log network failure status in DBClien... Closed
Participants:

 Description   

I have enabled `SSL` on my `mongoDB` server. I have set `preferred` as I don't want to make SSL a requirement yet. I can connect to mongo shell easily by typing `mongo` in shell. The problem is that when I use `mongo --ssl --host mongo.example.com` command it gives the following error:

2018-06-02T08:38:02.551+0000 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mongo.example.com:27017' :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed



 Comments   
Comment by Kelsey Schubert [ 08/May/19 ]

Hi dandv,

Thanks for your feedback, and I'm sorry this error message wasn't very clear about the root cause of the issue. We're tracking work to improve this error message in SERVER-39480. Please feel free to vote for it and watch it for updates.

Kind regards,
Kelsey

Comment by Dan Dascalescu [ 08/May/19 ]

Another cryptic error. There's nothing about "Error: network error while attempting to run command 'isMaster'" that tells me there was a certificate problem. I had to Google that cryptic error to land on this Jira ticket. Does that sound like a good developer experience?

The error was that I forgot to include the `–ssl` parameter in the `mongo` CLI.

Comment by Nick Brewer [ 13/Jun/18 ]

Glad to hear you got it working. I'll go ahead and close this issue.

Nick

Comment by Ali [ 13/Jun/18 ]

The problem was that CN of the certificate didn't match the value of hostname in config file of `MongoDB`. Thank you for the time.

Comment by Nick Brewer [ 11/Jun/18 ]

Hi Ali,

Thanks for your report. Some things I'd like to confirm:

  • Does the CN (common name) or SAN (subject alternative name) of the certificate match the value of --hostname that you supply when running mongo?
  • What certificate authority was used to issue this certificate?
  • I'd like to see the full contents of the .conf file you're using to start mongod, as well as the specific commands you're using to connect via the mongo shell. Since this is a public channel, you can substitute the hostnames or any sensitive information, but please keep the configuration options intact.

Regards,

Nick

Comment by Ali [ 02/Jun/18 ]

When I comment out the below config section in mongod.conf it works:

CAFile: /etc/ssl/ca.pem

Now in mongo shell command I should not provide --sslCAFile /etc/ssl/ca.pem!

When I remove it and just use mongo --ssl it works. Why CA file should be removed? Does it bear security concerns?

Comment by Ali [ 02/Jun/18 ]

In mongoDB server logs it reports that:

 

Error receiving request from client: SSLHandshakeFailed: SSLHandshakeFailed. Ending connection from 127.0.0.1:32793 (connection id: 358957)

Generated at Thu Feb 08 04:39:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.