[SERVER-8524] --sslPEMKeyFile and other ssl arguments require the full path when using --fork Created: 12/Feb/13  Updated: 11/Jul/16  Resolved: 19/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.5.3

Type: Bug Priority: Minor - P4
Reporter: Ross Lawley Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-8679 Absolute path required for --sslPEMKe... Closed
Related
Operating System: ALL
Participants:

 Description   

The path to ssl certificates has to be a full path, where as other command line options are relative to where mongod is called from.

eg my start mongod bash script:

#!/bin/bash
./bin/mongod --dbpath=./data/single --fork --logpath=./logs/single --sslPEMKeyFile=./jstests/libs/server.pem --sslCAFile=./jstests/libs/ca.pem --sslCRLFile=./jstests/libs/crl.pem --sslOnNormalPorts --sslWeakCertificateValidation --smallfiles --noprealloc --nojournal

Errors with ERROR: cannot read certificate file. When I supply the full path to the certificates it works but this is different to how dbpath and logpath work.



 Comments   
Comment by auto [ 19/Sep/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-8524 convert ssl arguments to full path, so that --fork can function properly with ssl
Branch: master
https://github.com/mongodb/mongo/commit/0b3fb180379e745f2839f78580de3e1a0269b0aa

Comment by Asya Kamsky [ 12/Mar/13 ]

and maybe other paths, like pidfilepath?

Comment by Eric Milkie [ 13/Feb/13 ]

You're right, it's because --fork changes the CWD. We are doing something special in the code to convert the relative paths for dbpath and logpath into absolute paths. We will have to do something similar for the SSL paths.

Comment by Ross Lawley [ 13/Feb/13 ]

Interesting seems the --fork flag causes it indirectly:

With --fork

./bin/mongod --dbpath=./data/single --logpath=./logs/single --sslPEMKeyFile=./jstests/libs/server.pem --sslCAFile=./jstests/libs/ca.pem --sslCRLFile=./jstests/libs/crl.pem --sslOnNormalPorts --sslWeakCertificateValidation --smallfiles --noprealloc --nojournal --fork

Wed Feb 13 10:42:55.417 [initandlisten] MongoDB starting : pid=21571 port=27017 dbpath=/home/vagrant/mongodbs/mongodb-sub/./data/single 64-bit host=precise64
Wed Feb 13 10:42:55.418 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
Wed Feb 13 10:42:55.418 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Wed Feb 13 10:42:55.418 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Wed Feb 13 10:42:55.418 [initandlisten] allocator: tcmalloc
Wed Feb 13 10:42:55.418 [initandlisten] options: { dbpath: "./data/single", fork: true, logpath: "./logs/single", nojournal: true, noprealloc: true, smallfiles: true, sslCAFile: "./jstests/libs/ca.pem", sslCRLFile: "./jstests/libs/crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "./jstests/libs/server.pem", sslWeakCertificateValidation: true }
Wed Feb 13 10:42:55.418 [initandlisten] Unable to check for journal files due to: boost::filesystem::directory_iterator::construct: No such file or directory: "/home/vagrant/mongodbs/mongodb-sub/./data/single/journal"
Wed Feb 13 10:42:55.429 [initandlisten] ERROR: cannot read certificate file: ./jstests/libs/server.pem error:02001002:system library:fopen:No such file or directory
Wed Feb 13 10:42:55.430 [initandlisten] exception in initAndListen: 16562 ssl initialization problem, terminating
Wed Feb 13 10:42:55.430 dbexit: 
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: going to close listening sockets...
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: going to flush diaglog...
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: going to close sockets...
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: waiting for fs preallocator...
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: closing all files...
Wed Feb 13 10:42:55.430 [initandlisten] closeAllFiles() finished
Wed Feb 13 10:42:55.430 [initandlisten] shutdown: removing fs lock...
Wed Feb 13 10:42:55.430 dbexit: really exiting now

Without --fork it works

./bin/mongod --dbpath=./data/single --logpath=./logs/single --sslPEMKeyFile=./jstests/libs/server.m --sslCAFile=./jstests/libs/ca.pem --sslCRLFile=./jstests/libs/crl.pem --sslOnNormalPorts --sslWeakCertificateValidation --smallfiles --noprealloc --nojournal

Wed Feb 13 10:58:34.171 [initandlisten] MongoDB starting : pid=21619 port=27017 dbpath=./data/single 64-bit host=precise64
Wed Feb 13 10:58:34.171 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
Wed Feb 13 10:58:34.171 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Wed Feb 13 10:58:34.171 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Wed Feb 13 10:58:34.171 [initandlisten] allocator: tcmalloc
Wed Feb 13 10:58:34.171 [initandlisten] options: { dbpath: "./data/single", logpath: "./logs/single", nojournal: true, noprealloc: true, smallfiles: true, sslCAFile: "./jstests/libs/ca.pem", sslCRLFile: "./jstests/libs/crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "./jstests/libs/server.pem", sslWeakCertificateValidation: true }
Wed Feb 13 10:58:34.171 [initandlisten] Unable to check for journal files due to: boost::filesystem::directory_iterator::construct: No such file or directory: "./data/single/journal"
Wed Feb 13 10:58:34.179 [initandlisten] ssl imported 1 revoked certificate from the revocation list.
Wed Feb 13 10:58:34.179 [initandlisten] waiting for connections on port 27017 ssl
Wed Feb 13 10:58:34.180 [websvr] ssl imported 1 revoked certificate from the revocation list.
Wed Feb 13 10:58:34.180 [websvr] admin web console waiting for connections on port 28017 ssl

Comment by Eric Milkie [ 12/Feb/13 ]

Also, I'm not seeing anywhere in the code that would just print "ERROR: cannot read certificate file". The code does contain that message but it should be followed by a colon, the name of the file, and the actual error message received from the OpenSSL library. Can you attach the full log file with the error?

Comment by Eric Milkie [ 12/Feb/13 ]

I can't reproduce this; relative paths are working fine for me.

Comment by Eric Milkie [ 12/Feb/13 ]

This is weird because I'm using relative paths in my testing all the time (and indeed, smoke.py uses a relative path to test SSL). I will take a look this afternoon.

Unfortunately, the SSL library doesn't return a more specific error message about what went wrong. However, you might try running mongod under strace with "-e trace=file", and then see the errno returned from the system calls used to open the file. You can see the actual path passed to the file-open function and verify it's correct.

Generated at Thu Feb 08 03:17:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.