<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 22:24:59 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[COMPASS-349] Support connecting with self-signed certificates which use a local certificate authority</title>
                <link>https://jira.mongodb.org/browse/COMPASS-349</link>
                <project id="13182" key="COMPASS">Compass </project>
                    <description>&lt;p&gt;Hey Everyone!&lt;/p&gt;

&lt;p&gt;Working with a client who set up a local CA to generate their certificates and they want to connect with compass.  Their certificates validate properly when connecting with the mongo shell but when trying to connect to compass they get a &quot;self signed certificate&quot; error.&lt;/p&gt;

&lt;p&gt;Is there any way to allow connections where the root certificate is a from a local CA?  Perhaps I am including the wrong certificates in the certificate chain?&lt;/p&gt;</description>
                <environment></environment>
        <key id="273952">COMPASS-349</key>
            <summary>Support connecting with self-signed certificates which use a local certificate authority</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="12300">Won&apos;t Do</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="rahul.dhodapkar">Rahul Dhodapkar</reporter>
                        <labels>
                    </labels>
                <created>Mon, 21 Mar 2016 14:59:36 +0000</created>
                <updated>Wed, 10 Jan 2024 23:06:27 +0000</updated>
                            <resolved>Fri, 2 Aug 2019 14:14:59 +0000</resolved>
                                                                    <component>Connectivity</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>51</watches>
                                                                                                                <comments>
                            <comment id="3765458" author="ari@decisionframeworksystems.com" created="Mon, 10 May 2021 23:57:35 +0000"  >&lt;p&gt;Compass does allow connecting to a MongoDB which uses a self-signed certificate, if you fill in the connection fields individually, but not if you paste in a connection string. Why this discrepancy between specifying the fields individually and in a connection string?&lt;/p&gt;

&lt;p&gt;Please see my topic in the community Developer Tools forum:&lt;br/&gt;
&lt;a href=&quot;https://developer.mongodb.com/community/forums/t/compass-connection-string-to-connect-to-self-signed-certificate/106438&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://developer.mongodb.com/community/forums/t/compass-connection-string-to-connect-to-self-signed-certificate/106438&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Thank you, Ari&lt;/p&gt;</comment>
                            <comment id="2355949" author="massimiliano.marcon" created="Fri, 2 Aug 2019 14:14:59 +0000"  >&lt;p&gt;May or may not work now, but there has been no activity on the ticket for 2 years so I am closing.&lt;/p&gt;</comment>
                            <comment id="1577878" author="lucas.hrabovsky" created="Tue, 23 May 2017 16:25:13 +0000"  >&lt;p&gt;Recent changes to electron should now allow Compass to do this (w/o changes to node.js driver). See &lt;a href=&quot;https://github.com/electron/electron/blob/master/docs/api/dialog.md#dialogshowcertificatetrustdialogbrowserwindow-options-callback-macos-windows&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;dialog.showCertificateTrustDialog()&lt;/a&gt;&lt;/p&gt;


&lt;p&gt;Related:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;&lt;a href=&quot;https://github.com/electron/electron/pull/9099&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/electron/electron/pull/9099&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://github.com/electron/electron/pull/9242&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/electron/electron/pull/9242&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="1435265" author="peter.schmidt" created="Wed, 16 Nov 2016 05:18:35 +0000"  >&lt;p&gt;I think we should retest with at least Compass 1.5.0-beta.3 or later first as time permits.&lt;/p&gt;

&lt;p&gt;If this is still not fixed upstream in the nodejs driver, then it may be worthwhile for Compass to spend some time on it, but it would most likely be after we clear many of the other bugs and connectivity issues in our current backlog.&lt;/p&gt;</comment>
                            <comment id="1223669" author="rahul.dhodapkar" created="Mon, 4 Apr 2016 02:22:02 +0000"  >&lt;p&gt;Haven&apos;t had time to put together a vanilla node.js reproduction of the issue but I &lt;a href=&quot;https://gist.github.com/rahuldhodapkar/9979d358da4b69724b03254b23a24438&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;created a script &lt;/a&gt; that will build a Root CA + Intermediate CA in a configurable directory, which makes it easy to cleanly reproduce the issue.&lt;/p&gt;

&lt;p&gt;Give it a try and let me know if you have any trouble getting it to work!&lt;/p&gt;</comment>
                            <comment id="1222524" author="rahul.dhodapkar" created="Fri, 1 Apr 2016 14:59:33 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=matt.kangas&quot; class=&quot;user-hover&quot; rel=&quot;matt.kangas&quot;&gt;matt.kangas&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I&apos;m almost certain this is a problem with the core Node library and not Compass or the driver, so I&apos;m going to see if I can build a repro against that directly.  Goal for today is to get that together and submit a ticket upstream we can track!&lt;/p&gt;</comment>
                            <comment id="1222501" author="matt.kangas@10gen.com" created="Fri, 1 Apr 2016 14:44:50 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=rahul.dhodapkar&quot; class=&quot;user-hover&quot; rel=&quot;rahul.dhodapkar&quot;&gt;rahul.dhodapkar&lt;/a&gt; - thanks for the update!&lt;/p&gt;

&lt;p&gt;Since you are now the expert in this matter - can you please create a way for us to quickly repro both scenarios (e.g. the certs needed plus instructions on how to recreate them), and attach that as a tarball?&lt;/p&gt;

&lt;p&gt;We use the version of OpenSSL that is bundled with Electron, so if we want to make any changes in this area, we&apos;ll have to submit tickets upstream (either Electron or Node). Being able to clearly repro the issue will be critical for that.&lt;/p&gt;</comment>
                            <comment id="1211318" author="rahul.dhodapkar" created="Tue, 22 Mar 2016 16:02:08 +0000"  >&lt;p&gt;Just to close the loop on this - managed to get everything working locally.  Turns out I needed to pass &lt;b&gt;only&lt;/b&gt; the root CA certificate as the CAFile instead of the root CA + intermediate CA.  Procedure was as follows:&lt;/p&gt;

&lt;ol&gt;
	&lt;li&gt;create Root (self-signed) CA&lt;/li&gt;
	&lt;li&gt;create Intermediary CA (signed by Root CA)&lt;/li&gt;
	&lt;li&gt;create mongod server cert (signed by Intermediary CA)&lt;/li&gt;
	&lt;li&gt;create client cert (signed by Intermediary CA)&lt;/li&gt;
	&lt;li&gt;pass Compass Root CA cert as CAFile and client cert + private key to use Compass with &quot;Server and Client Validation&quot;&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;I suppose that this is due to some inconsistency between the &quot;tls&quot; package used by the node driver and the shell&apos;s connection handling code.  Not sure which is the preferred behavior.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;EDIT:&lt;/b&gt; the shell&apos;s connection behavior is the expected behavior and the one displayed by vanilla openssl.  The driver&apos;s TLS management is handled by the core library packaged with Node.JS so we should use the workaround I described until it is patched.&lt;/p&gt;</comment>
                            <comment id="1210119" author="rahul.dhodapkar" created="Mon, 21 Mar 2016 19:35:21 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=matt.kangas&quot; class=&quot;user-hover&quot; rel=&quot;matt.kangas&quot;&gt;matt.kangas&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Used the UI you recommended but got the following error from Compass -&lt;/p&gt;

&lt;p&gt;&lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;a id=&quot;114343_thumb&quot; href=&quot;https://jira.mongodb.org/secure/attachment/114343/114343_compass-ssl.png&quot; title=&quot;compass-ssl.png&quot; file-preview-type=&quot;image&quot; file-preview-id=&quot;114343&quot; file-preview-title=&quot;compass-ssl.png&quot;&gt;&lt;img src=&quot;https://jira.mongodb.org/secure/thumbnail/114343/_thumb_114343.png&quot; style=&quot;border: 0px solid black&quot; role=&quot;presentation&quot;/&gt;&lt;/a&gt;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;The same CAFile validates properly using the shell - (also tried with the Client Certificate / Client Private Key used from the shell)&lt;/p&gt;</comment>
                            <comment id="1210082" author="rahul.dhodapkar" created="Mon, 21 Mar 2016 18:54:58 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=christkv&quot; class=&quot;user-hover&quot; rel=&quot;christkv&quot;&gt;christkv&lt;/a&gt; -&lt;/p&gt;

&lt;p&gt;It seems like the Node.JS driver gives the same error - Would one perhaps have to add the certificate chain to the OS cert store? Using&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;sslValidate: false&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;allows everything to connect properly, but ideally we would like to validate the certificates presented against the locally generated CAFile&lt;/p&gt;</comment>
                            <comment id="1209923" author="matt.kangas@10gen.com" created="Mon, 21 Mar 2016 17:35:14 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=rahul.dhodapkar&quot; class=&quot;user-hover&quot; rel=&quot;rahul.dhodapkar&quot;&gt;rahul.dhodapkar&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Here is a screenshot of the Compass v1.0.1 connect dialog which shows how you specify a CA file. Notice that you have to choose an SSL mode first.&lt;/p&gt;

&lt;p&gt;&lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;img src=&quot;https://jira.mongodb.org/secure/attachment/114324/114324_INT_1302_Compass_1.0.1_connect.png&quot; style=&quot;border: 0px solid black&quot; /&gt;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;Are you able to successfully connect using this information?&lt;/p&gt;

&lt;p&gt;Related usability improvement request: COMPASS-33&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="304460">NODE-782</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="114324" name="INT_1302_Compass_1.0.1_connect.png" size="57749" author="matt.kangas" created="Mon, 21 Mar 2016 17:35:14 +0000"/>
                            <attachment id="114343" name="compass-ssl.png" size="254785" author="rahul.dhodapkar" created="Mon, 21 Mar 2016 19:34:35 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>11.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 21 Mar 2016 17:35:14 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 39 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_14262" key="com.atlassian.jira.plugin.system.customfieldtypes:datepicker">
                        <customfieldname>End date</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 10 Apr 2017 00:00:00 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>jessica.sigafoos@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 39 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>ari@decisionframeworksystems.com</customfieldvalue>
            <customfieldvalue>lucas.hrabovsky</customfieldvalue>
            <customfieldvalue>massimiliano.marcon@mongodb.com</customfieldvalue>
            <customfieldvalue>matt.kangas</customfieldvalue>
            <customfieldvalue>peter.schmidt</customfieldvalue>
            <customfieldvalue>rahul.dhodapkar</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsc2lb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|huhwq7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_14261" key="com.atlassian.jira.plugin.system.customfieldtypes:datepicker">
                        <customfieldname>Start date</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 21 Mar 2016 00:00:00 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrq8yn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>