<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:40:43 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CSHARP-1806] how do you set sslCAFile for MongoDB.Driver</title>
                <link>https://jira.mongodb.org/browse/CSHARP-1806</link>
                <project id="10041" key="CSHARP">C# Driver</project>
                    <description>&lt;p&gt;We have created a self-signed root CA cert, and intermediate CA cert, and a server cert with various subjectaltnames (that map to the hosts in replication) &lt;br/&gt;
Since our root cert is not trusted by default we have installed it in all the usual windows trust stores (local user and machine).&lt;br/&gt;
This certificate configuration has worked for several clients so we believe it to be ok.&lt;/p&gt;

&lt;p&gt;We have configured MondoDB version v3.2.10 like this - &lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;%BINPATH% --replSet %REPLSETNAME% --clusterAuthMode x509 --sslClusterFile %CLUSTERCLIENTCERT% --sslMode requireSSL --sslAllowConnectionsWithoutCertificates --sslPEMKeyFile %KEYFILE% --sslCAFile %CAFILE% --port %PORT% --dbpath=%DBPath% --logpath=%LOGPATH% --serviceName %SERVICENAME% --serviceDisplayName %SERVICENAME% --smallfiles --logappend --auth --install&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;sslPEMKeyFile does include the full chain, I have seen missing intermediate certs being a problem.&lt;/p&gt;

&lt;p&gt;The good - &lt;br/&gt;
We have been able to connect various clients, usually by specifying the sslCAFile option (which seems consistent with the documentation) &lt;br/&gt;
Robomongo 0.9.0-RC10 also works fine (w/ required sslCAFile option)&lt;br/&gt;
For Mongoose we were able to inject our cert into the nodejs trust store.&lt;/p&gt;

&lt;p&gt;The bad -&lt;br/&gt;
For the MongoDB.Driver (c#) client we are using a connect string that looks like so - &lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;mongodb://somedb:somedb@xxx0,xxx1,xxx2/SomeDB?replicaSet=repset0&amp;amp;ssl=true&amp;amp;readPreference=secondary&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;The error from the client looks like this -&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;at MongoDB.Driver.Core.Servers.ServerMonitor.&amp;lt;HeartbeatAsync&amp;gt;d__27.MoveNext()&quot; }, { ServerId: &quot;&lt;/p&gt;
&lt;div class=&quot;error&quot;&gt;&lt;span class=&quot;error&quot;&gt;Unknown macro: { ClusterId }&lt;/span&gt; &lt;/div&gt;
&lt;p&gt;&quot;, EndPoint: &quot;Unspecified/xxx0:27017&quot;, State: &quot;Disconnected&quot;, Type: &quot;Unknown&quot;, HeartbeatException: &quot;MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server. &lt;br/&gt;
   System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;If we turn off certificate validation it works.&lt;/p&gt;

&lt;p&gt;I&apos;m pretty confident it is a client side trust issue but I can&apos;t seem to figure out how to configure the client in this case.&lt;/p&gt;

&lt;p&gt;Is this a gap in functionality, documentation, or do you think running in service fabric is an issue?&lt;/p&gt;

&lt;p&gt;For the heck of it we tried adding &amp;amp;sslCAFile=cacerts.pem (and copied the file into the distribution at various places) but it had no effect.&lt;/p&gt;

&lt;p&gt;Any guidance would be appreciated.&lt;br/&gt;
Tim&lt;/p&gt;</description>
                <environment>windows 10, MongoDB.Driver running in service fabric app. Using connect string for driver config.</environment>
        <key id="325968">CSHARP-1806</key>
            <summary>how do you set sslCAFile for MongoDB.Driver</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="tgourley01">Tim Gourley</reporter>
                        <labels>
                            <label>driver</label>
                            <label>question</label>
                    </labels>
                <created>Fri, 21 Oct 2016 19:59:54 +0000</created>
                <updated>Fri, 5 Apr 2019 13:58:33 +0000</updated>
                            <resolved>Fri, 31 Aug 2018 21:19:07 +0000</resolved>
                                    <version>2.3</version>
                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="1991275" author="jeff.yemin" created="Fri, 31 Aug 2018 21:19:07 +0000"  >&lt;p&gt;Sorry for dropping the ball on this.  We haven&apos;t heard of any other users running into this, so I&apos;m going to close this, but please comment back if this is still an issue for you.&lt;/p&gt;</comment>
                            <comment id="1424657" author="craiggwilson" created="Wed, 2 Nov 2016 22:13:01 +0000"  >&lt;p&gt;Ok... this is the first report we&apos;ve had of this not working. Underneath, we are simply using an the SslStream. We&apos;ll go ahead and double check on our side and see if we can get it to break.&lt;/p&gt;

&lt;p&gt;Craig&lt;/p&gt;</comment>
                            <comment id="1424649" author="tgourley01" created="Wed, 2 Nov 2016 22:07:46 +0000"  >&lt;p&gt;This is windows platform. (windows 10 if it matters)&lt;br/&gt;
I&apos;ve added the signer certs into the machine and current user trust stores but it appears the C# driver is not using them.&lt;br/&gt;
It is working for browsers and other apps which use the same certificate stores so I&apos;m confident the certs are in the right stores. &lt;br/&gt;
(we had this requirement long before we were using the C# mongo driver)&lt;br/&gt;
Anyway, it sounds like you are saying this is a tested scenario and the C# supports it.&lt;br/&gt;
If that is the case then I don&apos;t know why this would not work in my case since the certs are in the expected trust stores and are found (/trusted) by other applications.&lt;br/&gt;
Thanks,&lt;br/&gt;
Tim&lt;/p&gt;</comment>
                            <comment id="1424641" author="craiggwilson" created="Wed, 2 Nov 2016 21:55:07 +0000"  >&lt;p&gt;Hi Tim,&lt;/p&gt;

&lt;p&gt;You manage trusted certificates for the .NET driver the same way you would for any .NET application. Windows contains a trusted certificate store. &lt;/p&gt;

&lt;p&gt;Now, I haven&apos;t researched how this would be done on other operating systems. Are you asking about windows or linux (or mac)?&lt;/p&gt;

&lt;p&gt;Craig&lt;/p&gt;</comment>
                            <comment id="1415731" author="tgourley01" created="Mon, 24 Oct 2016 15:40:51 +0000"  >&lt;p&gt;I&apos;ve completed testing outside a service fabric environment and see the same issue.&lt;br/&gt;
My root question is &quot;how is the trust CA store configured for the C# driver&quot;?&lt;br/&gt;
This is configured via the sslCAFile and sslCA options in other drivers/clients. &lt;br/&gt;
If it is supposed to use the machine/user trust store, I seem to be having issues configuring so that the driver uses it.&lt;br/&gt;
(to be clear, web browsers and other apps are able to validate this root cert, and likewise the chain for the server certs, so I&apos;m pretty confident the cert and trust stores are configured properly)&lt;br/&gt;
Thanks,&lt;br/&gt;
Tim&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsr3ev:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>