CODEWITHSUNDEEP
mongodbssl
fgalan
fgalan

Reputation: 12322

mongod is not honouring tlsAllowConnectionsWithoutCertificates setting

I run MongoDB (version 4.4.1) this way:

mongod --dbpath /tmp/mongotest/1/db --logpath /tmp/mongotest/1/mongod.log --port 27017 --tlsMode requireTLS --tlsCertificateKeyFile /tmp/mongokeys/test-server1.pem --tlsCAFile /tmp/mongokeys/test-ca.pem --tlsAllowConnectionsWithoutCertificates

The test-server1.pem and test-ca.pem files have been generated following the example procedures (this and this) in official MongoDB documentation.

Now I try to connect using mongo shell (version 4.4.1) this way:

mongo --tls

It fails. This is the trace:

MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2021-03-01T13:18:54.768Z"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate in certificate chain"}}
Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1

In addition, mongod log shows:

{"t":{"$date":"2021-03-01T14:19:40.397+01:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":1}}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"W",  "c":"NETWORK",  "id":23234,   "ctx":"conn15","msg":"No SSL certificate provided by peer"}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn15","msg":"Connection ended","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":0}}

What is surprising is the "No SSL certificate provided by peer" message. Of course, that's is true (I mean, mongo shell connection is not sending any certificate to the MongoDB server) but as far as I understand the --tlsAllowConnectionsWithoutCertificates should allow this kind of certificate-less connections.

Probably I'm doing something wrong, but I don't know what it is :) Any help is really welcomed!

Upvotes: 0

Views: 700

Answers (1)

D. SM
D. SM

Reputation: 14520

Probably I'm doing something wrong, but I don't know what it is :)

You are experiencing the full informativeness of OpenSSL diagnostic messages.

The client and the server both validate the certificates of the other side, by default. You configured the server to not validate the client's certificate. The error is coming from the shell after it tries to validate the server's certificate and cannot follow the server cert to a known CA cert. This is reported as "self-signed certificate in certificate chain" which is true but misleading (the shell would be very capable of accepting the server's certificate if you gave it the CA cert which is self-signed).

The server log tells you the client hasn't provided the certificate, which is true and normal for your configuration, but the connection close is initiated by the client (shell). There isn't a server problem there. See also this and this.

Upvotes: 1

Related Questions