CAFile and self sign certificate for Replicas

Ops and Admin Replication
,
1

We have created CA, intermediate CA and then a signed certificate with all the necessary requirement in mongodb website.

We want to use x509 authentication. Currently we can only work with TLS using allowInvalidCertificates optins, and we are not sure what is the implication.

Enabling the CAFile option, also cause errors with connecting between replicas with errors complaining about using self sign.

What are

  • Valid certifications - Do they have to be “paid”? We do not need third party to verify since we are only connected between our own servers. What constitude “invalid”?
  • unable to get local issuer certificate error - please provide clearer explanation
  • No SSL certificate provided by peer error - please provide clearer explanation
  • SSL peer certificate validation failed: unsupported certificate purpose error - please provide clearer explanation

Hopefully, this post can generate enough official replies for different errors return so we can better set up tls connections between replicas.

2

You’re ignoring the errors and connecting anyway, if another server with TLS is put in between your client will happily connect and that server can decrypt and inspect anything that is sent to it.

This error sound like the certificate is signed incorrectly or that the wrong file is being used for the CAFile parameter.

A valid certificate is one whose claims match what you are asking for, Subject/Subject Alternate Name matches hostname, the startDate and endDates are vaild among other things.

But most importantly it is one where the chain of trust is established. The root of this is the Certificate Authority. This CA must be installed on your system for any issued intermediate or leaf certificate to be trusted, alternatively the CA can be set in configuration or command line.

The issuing certificate is not trusted by your system. If your certificates are issued directly by the CA then the CA is not installed. If your certificate is issue by an intermediate CA then it is likely the server certificate has not been prepared correctly, you will need to append the intermediate CA to the server CA.

The server is expecting a TLS client certificate and the connecting client is not sending one

The certificate is using the wrong extended attributes for it’s role. Using clientAuth when it is server and vice-versa.

The security appendix has a good set of instructions for correctly configuring certificates for cluster x509 member authentication, Transport encryption (TLS) and Client certificates for x509 authentication.

2 Likes
3

Thank you very much.

How about

  • SSL peer certificate validation failed: self signed certificate in certificate chain

With your recommendations I have done the following to all my replica dockers, which installs the root certificate on my mongo dockers

COPY ./ca.crt /usr/share/ca-certificates/my_root_ca.crt

RUN echo my_root_ca.crt >> /etc/ca-certificates.conf

RUN update-ca-certificates

I created my certs base on this website you recommended.