[SERVER-45015] Mongo Shell fails to connect with CSSMERR_TP_CERT_SUSPENDED error Created: 08/Dec/19 Updated: 27/Oct/23 Resolved: 21/Jan/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | 4.2.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Jascha Brinkmann | Assignee: | Spencer Jackson |
| Resolution: | Community Answered | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Steps To Reproduce: | Set up a TLS secured MongoDB Cluster that verifies both client and server certificates. Try connecting with mongo shell 4.2.0 from MacOSX 10.15.1 |
| Sprint: | Security 2019-12-30, Security 2019-01-13, Security 2019-01-27 |
| Participants: |
| Description |
|
Connecting to a TLS Secured MongoDB remote instance from MacOSX 10.15.1 via the mongo shell fails with the following error:
This is the redacted command used:
The connection works with the same parameters when executed directly on the Ubuntu 18.04 server. It works as well when specifying the exact same certificates and authentication details using Compass running on MacOS. Downgrading to mongo v3.6.14 and using --ssl, --sslPEMKeyFile and --sslCAFile in place of the respective tls flags works as well. |
| Comments |
| Comment by Spencer Jackson [ 21/Jan/20 ] |
|
Got it, thanks jascha.brinkmann+mongodb@gmail.com! Because we believe we have a solution, I'm going to resolve this ticket. If your subsequent reproduction demonstrates this isn't the case, please feel free to re-open. |
| Comment by Jascha Brinkmann [ 21/Jan/20 ] |
|
I can't test with a shorter SSL certificate validity right now, but I can confirm that the server certificate has a validity of 10 years so this is very likely the culprit. |
| Comment by Spencer Jackson [ 14/Jan/20 ] |
|
Hi jascha.brinkmann+mongodb@gmail.com, was Andrey's advice applicable to your situation? |
| Comment by Andrey Brindeyev [ 21/Dec/19 ] |
|
jascha.brinkmann+mongodb@gmail.com, it seems that your MongoDB Server SSL certificate is no longer acceptable by macOS Catalina. You will find additional information here: https://support.apple.com/en-us/HT210176. Let us know if that resolves your issue. What helped me is to limit SSL certificate's validity to 824 days. |
| Comment by Jascha Brinkmann [ 17/Dec/19 ] |
|
Hey Daniel, thanks for your reply. I tried on a different Mac using same certificates, host, password and mongo shell version 4.2.2 but running macOS 10.14.6 and it worked without any issue. I then updated the same Mac to macOS Catalina 10.15.1 and tried once more without changing anything else and it failed with the exact error already described above. So I can confirm that this is happening on two different computers which run macOS Catalina 10.15.1 I would suggest that you try it for yourself on macOS 10.15.1 and see if you can confirm this as well.
|
| Comment by Danny Hatcher (Inactive) [ 13/Dec/19 ] |
|
Thank you for the report. Do you have the opportunity to test your configuration on a different operating system? I was not able to reproduce on macOS 10.14.5 but we'd like to see if the problem is at the OS level. |
| Comment by Jascha Brinkmann [ 08/Dec/19 ] |
|
Somebody else reporting the same issue and coming up with the same solution of downgrading the mongo shell: https://stackoverflow.com/questions/56843107/how-to-fix-ssl-error-cssmerr-tp-verify-action-failed-in-mongo |