<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:07:32 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-13339] CAFile (maybe) needed for SSL enabled servers</title>
                <link>https://jira.mongodb.org/browse/DOCS-13339</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Description&quot;&gt;&lt;/a&gt;Description&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-tls-ssl-certificate-and-key&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-tls-ssl-certificate-and-key&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The manual page on configuring SSL suggests that the CAFile option is not needed for the basic configuration, only if configuring the server to use client certificates. I recently configured a MongoDB server with a commercial &quot;real&quot; SSL certificate, and I&apos;m pretty sure the CAFile was required to make it work at all.&lt;/p&gt;

&lt;p&gt;The specific error was&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;The way I understand it, the CAFile is needed to establish the chain between the certificateKeyFile and whatever root certificates are installed on the operating system and recognized by OpenSSL. Therefore it is somewhat operating system dependent whether the issuer of a certificateKeyFile is directly trusted by a given operating system, but in the general case it is not the case, rather the CAFile bridges the gap from one to the other.&lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;Scopeofchanges&quot;&gt;&lt;/a&gt;Scope of changes&lt;/h2&gt;

&lt;h2&gt;&lt;a name=&quot;ImpacttoOtherDocs&quot;&gt;&lt;/a&gt;Impact to Other Docs&lt;/h2&gt;

&lt;h2&gt;&lt;a name=&quot;MVP%28WorkandDate%29&quot;&gt;&lt;/a&gt;MVP (Work and Date)&lt;/h2&gt;

&lt;h2&gt;&lt;a name=&quot;Resources%28ScopeorDesignDocs%2CInvision%2Cetc.%29&quot;&gt;&lt;/a&gt;Resources (Scope or Design Docs, Invision, etc.)&lt;/h2&gt;
</description>
                <environment></environment>
        <key id="1087477">DOCS-13339</key>
            <summary>CAFile (maybe) needed for SSL enabled servers</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="12300">Won&apos;t Do</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="henrik.ingo@mongodb.com">Henrik Ingo</reporter>
                        <labels>
                            <label>docs-security</label>
                    </labels>
                <created>Mon, 13 Jan 2020 16:25:37 +0000</created>
                <updated>Mon, 30 Oct 2023 20:29:12 +0000</updated>
                                                            <fixVersion>Server_Docs_20231030</fixVersion>
                                    <component>manual</component>
                    <component>Server</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="4940407" author="edu.bot" created="Mon, 31 Oct 2022 16:04:50 +0000"  >&lt;p&gt;Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!&lt;/p&gt;</comment>
                            <comment id="2732458" author="mark.benvenuto" created="Wed, 15 Jan 2020 19:18:59 +0000"  >&lt;p&gt;I agree with you &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=ravind.kumar&quot; class=&quot;user-hover&quot; rel=&quot;ravind.kumar&quot;&gt;ravind.kumar&lt;/a&gt; to hedge your bets by saying you should either have the intermediate+roots in either a CAFile/CAClusterFile PEM file or the system certificate store. Why it is possible to run mongodb without a CAFile, it is simply not something we should recommend as it means you have to disable certificate validation on the client or server. It means you have a valid TLS connection but you cannot be sure who you are talking to.&lt;/p&gt;

&lt;p&gt;The reason why it failed for &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=henrik.ingo&quot; class=&quot;user-hover&quot; rel=&quot;henrik.ingo&quot;&gt;henrik.ingo&lt;/a&gt;, is that the CA probably provided him with an intermediate cert that the system did not have an so the server could not send the complete certificate chain. The CA&apos;s rarely sign certs with their root certificate. They usually use intermediate certs to sign end-user certs.&lt;/p&gt;</comment>
                            <comment id="2722233" author="henrik.ingo@10gen.com" created="Mon, 13 Jan 2020 16:56:57 +0000"  >&lt;p&gt;&amp;gt; Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile&lt;/p&gt;

&lt;p&gt;You could also hedge a bit with language like &quot;if you got a ca-file along with your certificate, you should provide it via the CAFile option&quot;.&lt;/p&gt;</comment>
                            <comment id="2722146" author="ravind.kumar" created="Mon, 13 Jan 2020 16:30:22 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=mark.benvenuto%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;mark.benvenuto@mongodb.com&quot;&gt;mark.benvenuto@mongodb.com&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sara.golemon&quot; class=&quot;user-hover&quot; rel=&quot;sara.golemon&quot;&gt;sara.golemon&lt;/a&gt; this feels somewhat related to the discussions and work done on DOCSP-7310.&lt;/p&gt;

&lt;p&gt;Our docs are actually not particularly precise as to when the CAFile or ClusterCAFile options should be specified - the update in DOCSP-7310 at least makes it slightly clearer when using the certificateSelector options to place everything into the system store, but if specifying the keyFile manually, based on the observations above I&apos;m guessing that CAFile / ClusterCAFile are necessary for any TLS/SSL cert not signed by a root CA already in the OS system store by default?&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Wondering if we should pivot a bit and recommend always adding the root + intermediate CA to either CAFile/ClusterCAFile &lt;b&gt;or&lt;/b&gt; the system store (if using certificateSelector) , rather than assuming the OS might have the cert by default?&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 13 Jan 2020 16:30:22 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        1 year, 14 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>DOCSP-1769</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>false</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>emet.ozar@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 14 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>edu.bot</customfieldvalue>
            <customfieldvalue>henrik.ingo@mongodb.com</customfieldvalue>
            <customfieldvalue>mark.benvenuto@mongodb.com</customfieldvalue>
            <customfieldvalue>ravind.kumar</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hwgrsv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hw4uxb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hwge27:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>