[SERVER-45015] Mongo Shell fails to connect with CSSMERR_TP_CERT_SUSPENDED error Created: 08/Dec/19  Updated: 27/Oct/23  Resolved: 21/Jan/20

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 4.2.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jascha Brinkmann Assignee: Spencer Jackson
Resolution: Community Answered Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

Set up a TLS secured MongoDB Cluster that verifies both client and server certificates. Try connecting with mongo shell 4.2.0 from MacOSX 10.15.1

Sprint: Security 2019-12-30, Security 2019-01-13, Security 2019-01-27
Participants:

 Description   

Connecting to a TLS Secured MongoDB remote instance from MacOSX 10.15.1 via the mongo shell fails with the following error:

2019-12-08T10:31:11.760+0100 D1 NETWORK  [main] Client Certificate Name: CN=client,O=Company,ST=Germany,C=DE
 
MongoDB shell version v4.2.0
 
connecting to: mongodb://localhost:27017/mongo?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
 
2019-12-08T10:31:11.798+0100 D1 NETWORK  [js] creating new connection to:localhost:27017
 
2019-12-08T10:31:11.997+0100 D1 -        [js] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 116
 
2019-12-08T10:31:12.023+0100 E  NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected
 
2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/transport/session_asio.h 251
 
2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: InternalError: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/scripting/mozjs/mongo.cpp 832
 
2019-12-08T10:31:12.023+0100 E  QUERY    [js] Error: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected :
 
connect@src/mongo/shell/mongo.js:341:17
 
@(connect):2:6
 
2019-12-08T10:31:12.023+0100 D1 -        [js] User Assertion: Location12513: connect failed src/mongo/shell/shell_utils.cpp 416
 
2019-12-08T10:31:12.023+0100 I  QUERY    [js] MozJS GC prologue heap stats -  total: 4033838 limit: 0
 
2019-12-08T10:31:12.026+0100 I  QUERY    [js] MozJS GC epilogue heap stats -  total: 14 limit: 0
 
2019-12-08T10:31:12.026+0100 D1 -        [main] User Assertion: Location12513: connect failed src/mongo/scripting/mozjs/proxyscope.cpp 320
 
2019-12-08T10:31:12.026+0100 F  -        [main] exception: connect failed
 
2019-12-08T10:31:12.026+0100 E  -        [main] exiting with code 1

This is the redacted command used:

`mongo --host $HOSTNAME --port $PORT --username $USER --password $PASSWORD --authenticationDatabase admin --tls --tlsCertificateKeyFile $CLIENTKEY --tlsCAFile $CA_CERTIFICATE`

The connection works with the same parameters when executed directly on the Ubuntu 18.04 server. It works as well when specifying the exact same certificates and authentication details using Compass running on MacOS.

Downgrading to mongo v3.6.14 and using --ssl, --sslPEMKeyFile and --sslCAFile in place of the respective tls flags works as well.



 Comments   
Comment by Spencer Jackson [ 21/Jan/20 ]

Got it, thanks jascha.brinkmann+mongodb@gmail.com! Because we believe we have a solution, I'm going to resolve this ticket. If your subsequent reproduction demonstrates this isn't the case, please feel free to re-open.

Comment by Jascha Brinkmann [ 21/Jan/20 ]

I can't test with a shorter SSL certificate validity right now, but I can confirm that the server certificate has a validity of 10 years so this is very likely the culprit.

Comment by Spencer Jackson [ 14/Jan/20 ]

Hi jascha.brinkmann+mongodb@gmail.com, was Andrey's advice applicable to your situation?

Comment by Andrey Brindeyev [ 21/Dec/19 ]

jascha.brinkmann+mongodb@gmail.com, it seems that your MongoDB Server SSL certificate is no longer acceptable by macOS Catalina.

You will find additional information here: https://support.apple.com/en-us/HT210176.

Let us know if that resolves your issue.

What helped me is to limit SSL certificate's validity to 824 days.

Comment by Jascha Brinkmann [ 17/Dec/19 ]

Hey Daniel, thanks for your reply.

I tried on a different Mac using same certificates, host, password and mongo shell version 4.2.2 but running macOS 10.14.6 and it worked without any issue.

I then updated the same Mac to macOS Catalina 10.15.1 and tried once more without changing anything else and it failed with the exact error already described above.

So I can confirm that this is happening on two different computers which run macOS Catalina 10.15.1

I would suggest that you try it for yourself on macOS 10.15.1 and see if you can confirm this as well.

 

Comment by Danny Hatcher (Inactive) [ 13/Dec/19 ]

Thank you for the report. Do you have the opportunity to test your configuration on a different operating system? I was not able to reproduce on macOS 10.14.5 but we'd like to see if the problem is at the OS level.

Comment by Jascha Brinkmann [ 08/Dec/19 ]

Somebody else reporting the same issue and coming up with the same solution of downgrading the mongo shell: https://stackoverflow.com/questions/56843107/how-to-fix-ssl-error-cssmerr-tp-verify-action-failed-in-mongo

Generated at Thu Feb 08 05:07:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.