[SERVER-8524] --sslPEMKeyFile and other ssl arguments require the full path when using --fork Created: 12/Feb/13 Updated: 11/Jul/16 Resolved: 19/Sep/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.0-rc0 |
| Fix Version/s: | 2.5.3 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Ross Lawley | Assignee: | Matt Dannenberg |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Operating System: | ALL | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
The path to ssl certificates has to be a full path, where as other command line options are relative to where mongod is called from. eg my start mongod bash script:
Errors with ERROR: cannot read certificate file. When I supply the full path to the certificates it works but this is different to how dbpath and logpath work. |
| Comments |
| Comment by auto [ 19/Sep/13 ] | |||||||||||||||||||||||||||||||
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: | |||||||||||||||||||||||||||||||
| Comment by Asya Kamsky [ 12/Mar/13 ] | |||||||||||||||||||||||||||||||
|
and maybe other paths, like pidfilepath? | |||||||||||||||||||||||||||||||
| Comment by Eric Milkie [ 13/Feb/13 ] | |||||||||||||||||||||||||||||||
|
You're right, it's because --fork changes the CWD. We are doing something special in the code to convert the relative paths for dbpath and logpath into absolute paths. We will have to do something similar for the SSL paths. | |||||||||||||||||||||||||||||||
| Comment by Ross Lawley [ 13/Feb/13 ] | |||||||||||||||||||||||||||||||
|
Interesting seems the --fork flag causes it indirectly: With --fork
Without --fork it works
| |||||||||||||||||||||||||||||||
| Comment by Eric Milkie [ 12/Feb/13 ] | |||||||||||||||||||||||||||||||
|
Also, I'm not seeing anywhere in the code that would just print "ERROR: cannot read certificate file". The code does contain that message but it should be followed by a colon, the name of the file, and the actual error message received from the OpenSSL library. Can you attach the full log file with the error? | |||||||||||||||||||||||||||||||
| Comment by Eric Milkie [ 12/Feb/13 ] | |||||||||||||||||||||||||||||||
|
I can't reproduce this; relative paths are working fine for me. | |||||||||||||||||||||||||||||||
| Comment by Eric Milkie [ 12/Feb/13 ] | |||||||||||||||||||||||||||||||
|
This is weird because I'm using relative paths in my testing all the time (and indeed, smoke.py uses a relative path to test SSL). I will take a look this afternoon. Unfortunately, the SSL library doesn't return a more specific error message about what went wrong. However, you might try running mongod under strace with "-e trace=file", and then see the errno returned from the system calls used to open the file. You can see the actual path passed to the file-open function and verify it's correct. |