[SERVER-72234] System-wide CA certificate store not used Created: 19/Dec/22  Updated: 08/Feb/23  Resolved: 17/Jan/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 6.0.3
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Wernfried Domscheit Assignee: Yuan Fang
Resolution: Done Votes: 0
Labels: TLS/SSL
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-72839 Server skips peer certificate validat... Closed
is related to SERVER-72846 Fix misleading startup warning about ... Closed
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2023-01-23
Participants:

 Description   

My configuration look like this:

 

net:
  port: 27019
  bindIpAll: true
  ipv6: true
  tls:
    mode: preferTLS
    certificateKeyFile: /home/mongod/mipmdb.pem
    clusterCAFile: /etc/ssl/certs/ca-bundle.crt
    allowConnectionsWithoutCertificates: true
 
security:
  authorization: enabled
  keyFile: /home/mongod/.mongo.key 

Documentation says:

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.

If using x.509 authentication, -tlsCAFile or tls.CAFile must be specified unless using -tlsCertificateSelector.

 

Despite the logfile shows this warning at startup:

{
    "t": {"$date": "2022-12-19T08:37:18.220+01:00"},
    "s": "W",
    "c": "CONTROL",
    "id": 22133,
    "ctx": "initandlisten",
    "msg": "No client certificate validation can be performed since no CA file has been provided. Please specify an sslCAFile parameter"
}
 

So, either documentation is wrong, or mongod failed to use the system-wide CA certificate store

 

 



 Comments   
Comment by Yuan Fang [ 17/Jan/23 ]

Hi wernfried.domscheit@sunrise.net,

Thank you for bringing this issue to our attention. We greatly appreciate your patience as we investigate. Based on the information you provided, it appears that the node utilizes the system-wide CA certificate store for server certificate validation. However, the warning message may have caused confusion regarding client certificate validation. To address this, we have filed a follow-up ticket, SERVER-72846. May I suggest you track the progress of this ticket for updates on the resolution of this issue? Thank you.

Regards,
Yuan

Generated at Thu Feb 08 06:21:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.