MongoDB 4.4.2 / X509

With MongoDB version 4.4.2, I am trying to use X509.

At this point I can launch the server like this:

...$ mongod --tlsMode requireTLS --tlsCertificateKeyFile theServer.pem --tlsCAFile theCA.pem --dbpath /mnt/mongoDB-One/DB_X509 --logpath /mnt/mongoDB-One/DB_X509/mongod.log --fork
about to fork child process, waiting until server is ready for connections.
forked process: 3082
child process started successfully, parent exiting
...$ 

I can later check that mongod keeps running.

...$ ps -ef | grep mongod
ubuntu      3082       1  1 06:52 ?        00:00:17 mongod --tlsMode requireTLS --tlsCertificateKeyFile theServer.pem --tlsCAFile theCA.pem --dbpath /mnt/mongoDB-One/DB_X509 --logpath /mnt/mongoDB-One/DB_X509/mongod.log --fork
ubuntu      3152    2299  0 07:10 pts/0    00:00:00 grep --color=auto mongod
...$ 

But one problem arises when I want to launch mongo shell. I get this:

...$ mongo --tls --tlsCertificateKeyFile client.pem --tlsCAFile theCA.pem
{"t":{"$date":"2021-01-05T07:14:46.176Z"},"s":"E",  "c":"NETWORK",  "id":23251,   "ctx":"main","msg":"Cannot read PEM key file","attr":{"keyFile":"client.pem","error":"error:0909006C:PEM routines:get_name:no start line"}}
Failed global initialization: InvalidSSLConfiguration Can not set up PEM key file.
...$ 

And this is what I see in the log file:

{"t":{"$date":"2021-01-05T06:52:22.375+00:00"},"s":"I",  "c":"NETWORK",  "id":23016,   "ctx":"listener","msg":"Waiting for connections","attr":{"port":27017,"ssl":"on"}}
{"t":{"$date":"2021-01-05T06:58:12.408+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:44274","connectionId":1,"connectionCount":1}}
{"t":{"$date":"2021-01-05T06:58:12.520+00:00"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"conn1","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: unable to get issuer certificate"}}
{"t":{"$date":"2021-01-05T06:58:12.520+00:00"},"s":"I",  "c":"NETWORK",  "id":22988,   "ctx":"conn1","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL peer certificate validation failed: unable to get issuer certificate"},"remote":"127.0.0.1:44274","connectionId":1}}
{"t":{"$date":"2021-01-05T06:58:12.520+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn1","msg":"Connection ended","attr":{"remote":"127.0.0.1:44274","connectionId":1,"connectionCount":0}}
(END)

I guess there is something wrong with the client.pem, but I don’t know what to do. I tried what I had to do to make the server .pem file work, but to no avail at this point.

Has anyone had this experience before and knows a solution?

Error says “Cannot read PEM key file”

It could be permission issues
Please check your certificates folder/files having correct permissions and accessible by mongod

All the .pem files here have the same permissions (400) and ownership, so I don’t think this can be the cause of the problem.
mongod works and not mongo shell.

For the server, I had to put the private key and the certificate in one file, to keep mongod happy.

(Originally openssl puts them in 2 separate files).

I first thought that doing the same thing for the client would solve the problem but it did not work.

So I am left with no solution at this point. I suspect something is wrong with the client.pem file, but I am not even sure or that.

Validate your certificate with openssl whether it is in proper format as below

-----BEGIN CERTIFICATE-----
encoded certificate
-----END CERTIFICATE-----

Sometimes control M characters or newline character also cause issues

My experience using openssl is rather limited and I am not sure how you do this kind of validation. But searching the net I have done the following.

I have verified that these two commands output the same thing:

openssl x509 -noout -modulus -in client.pem openssl rsa -noout -modulus -in client.key.pem

In the same way, these two commands also output the same thing:

openssl x509 -in client.pem -noout -pubkey openssl rsa -in client.key.pem -pubout

Beside I can see that the dates look all right:

openssl x509 -noout -in client.pem -dates notBefore=Jan 4 06:49:57 2021 GMT notAfter=Jan 4 06:49:57 2022 GMT

I have also seen that I can check the validity of the certificate chain:

And after after many trials and errors on making theChain.pem. I finally have:

$ openssl verify -CAfile theChain.pem client.pem 
client.pem: OK
$