We have created CA, intermediate CA and then a signed certificate with all the necessary requirement in mongodb website.
We want to use x509 authentication. Currently we can only work with TLS using allowInvalidCertificates optins, and we are not sure what is the implication.
Enabling the CAFile option, also cause errors with connecting between replicas with errors complaining about using self sign.
What are
Valid certifications - Do they have to be “paid”? We do not need third party to verify since we are only connected between our own servers. What constitude “invalid”?
unable to get local issuer certificate error - please provide clearer explanation
No SSL certificate provided by peer error - please provide clearer explanation
You’re ignoring the errors and connecting anyway, if another server with TLS is put in between your client will happily connect and that server can decrypt and inspect anything that is sent to it.
This error sound like the certificate is signed incorrectly or that the wrong file is being used for the CAFile parameter.
A valid certificate is one whose claims match what you are asking for, Subject/Subject Alternate Name matches hostname, the startDate and endDates are vaild among other things.
But most importantly it is one where the chain of trust is established. The root of this is the Certificate Authority. This CA must be installed on your system for any issued intermediate or leaf certificate to be trusted, alternatively the CA can be set in configuration or command line.
The issuing certificate is not trusted by your system. If your certificates are issued directly by the CA then the CA is not installed. If your certificate is issue by an intermediate CA then it is likely the server certificate has not been prepared correctly, you will need to append the intermediate CA to the server CA.
The server is expecting a TLS client certificate and the connecting client is not sending one
The certificate is using the wrong extended attributes for it’s role. Using clientAuth when it is server and vice-versa.
The security appendix has a good set of instructions for correctly configuring certificates for cluster x509 member authentication, Transport encryption (TLS) and Client certificates for x509 authentication.