I’m working through a few things, so you can test
One good way to test the connection to one of the shard nodes, while at the same testing its certificate is to run the following:
openssl s_client -connect cluster0-shard-00-00-jxeqq.mongodb.net:27017 </dev/null
This works on Linux/Unix/MacOS. On Windows it can work (if OpenSSL is installed), but you’ll need to leave off the redirection from /dev/null.
I then parse the certificate as follows:
openssl s_client -connect cluster0-shard-00-00-jxeqq.mongodb.net:27017 < /dev/null > /tmp/foo
openssl x509 -in /tmp/foo -text
This tells me that the Validation Authorities are at DigiCert and that you need to be able to talk to:
There’s also OCSP on:
So! The actual test to make sure that your system can verify the certificates!
You should be able to run these commands on the computer that has Compass, without the computer giving you errors. Curl should download these two CRL files. If it cannot, then your computer cannot contact the VA and thus cannot validate the certificate of the Mongo shard node.
EDIT: Corrected commands…
curl -o /tmp/crlfile http://crl3.digicert.com/ssca-sha2-g6.crl
curl -o /tmp/crlfile2 http://crl4.digicert.com/ssca-sha2-g6.crl
Of course, that is assuming that your system has “curl”. If it doesn’t, hopefully you have “wget”.