[SERVER-8732] Config server with CRL, mongos started with revoked cert, unclear error message Created: 26/Feb/13  Updated: 10/Dec/14  Resolved: 13/Jan/14

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 2.4.0-rc0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Gregor Macadam Assignee: Gregor Macadam
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File cacert.pem     File gregorFreeBSD.pem    
Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

What does

unable to get certificate CRL

mean?

ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongod --dbpath ./data/config/ --configsvr --sslOnNormalPorts --sslPEMKeyFile ../sslCA/gregorFreeBSD.pem --sslCRLFile crl.pem --sslCAFile=../sslCA/cacert.pem 
Tue Feb 26 13:26:52.306 [initandlisten] MongoDB starting : pid=14374 port=27019 dbpath=./data/config/ master=1 64-bit host=ip-10-36-133-56
Tue Feb 26 13:26:52.306 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
Tue Feb 26 13:26:52.306 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Tue Feb 26 13:26:52.306 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Tue Feb 26 13:26:52.306 [initandlisten] allocator: tcmalloc
Tue Feb 26 13:26:52.306 [initandlisten] options: { configsvr: true, dbpath: "./data/config/", sslCAFile: "../sslCA/cacert.pem", sslCRLFile: "crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "../sslCA/gregorFreeBSD.pem" }
Tue Feb 26 13:26:52.315 [initandlisten] journal dir=./data/config/journal
Tue Feb 26 13:26:52.315 [initandlisten] recover : no journal files present, no recovery needed
Tue Feb 26 13:26:52.511 [initandlisten] ssl imported 1 revoked certificate from the revocation list.
Tue Feb 26 13:26:52.513 [initandlisten] waiting for connections on port 27019 ssl
Tue Feb 26 13:26:52.513 [websvr] ssl imported 1 revoked certificate from the revocation list.
Tue Feb 26 13:26:52.513 [websvr] admin web console waiting for connections on port 28019 ssl
Tue Feb 26 13:26:55.516 [initandlisten] connection accepted from 10.36.133.56:42906 #1 (1 connection now open)
Tue Feb 26 13:26:55.523 [conn1] ERROR: SSL peer certificate validation failed:unable to get certificate CRL
Tue Feb 26 13:26:55.523 [conn1] SocketException handling request, closing client connection: 9001 socket exception [6] 

ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongos --configdb ip-10-36-133-56 --sslOnNormalPorts --sslPEMKeyFile ../sslCA/revoked_gregor.pem 
Tue Feb 26 13:26:55.512 warning: running with 1 config server should be done only for testing purposes and is not recommended for production
Tue Feb 26 13:26:55.513 [mongosMain] MongoS version 2.4.0-rc0 starting: pid=14388 port=27017 64-bit host=ip-10-36-133-56 (--help for usage)
Tue Feb 26 13:26:55.513 [mongosMain] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Tue Feb 26 13:26:55.513 [mongosMain] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Tue Feb 26 13:26:55.513 [mongosMain] options: { configdb: "ip-10-36-133-56", sslOnNormalPorts: true, sslPEMKeyFile: "../sslCA/revoked_gregor.pem" }



 Comments   
Comment by Eric Milkie [ 07/Mar/13 ]

In your spare time, sure. I would like to know how to diagnose this situation if a user encounters it in the future.

Comment by Gregor Macadam [ 07/Mar/13 ]

That box has been deleted on AWS now - do you want me to spin up another and try to repro?

Comment by Eric Milkie [ 04/Mar/13 ]

openssl verify -CApath ~/cacert.pem ~/gregorFreeBSD.pem 
/home/milkie/gregorFreeBSD.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = gregor, emailAddress = gregor@10gen.com
error 20 at 0 depth lookup:unable to get local issuer certificate

Seems broken to me.

Can you try this on your box:
openssl verify -CApath ~/cacert.pem ~/gregorFreeBSD.pem

Also see https://groups.google.com/forum/?fromgroups=#!topic/mailing.openssl.users/rMZGb2LHSgY for an interesting discussion on -crl_check parameter to verify.

Comment by Gregor Macadam [ 01/Mar/13 ]

Can we tell from the certs?

Comment by Eric Milkie [ 01/Mar/13 ]

I did some research and it seems like this error might occur if you didn't sign the certificate directly with the root certificate of the CA but instead signed it via a chain, and then didn't supply the entire chain in the CA file when you started the server.

Generated at Thu Feb 08 03:18:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.