Mongodb Charts Installation: Stitch failed to start: error starting up servers: tls: private key does not match public key

MongoDB Atlas MongoDB Charts
,
1

I’m trying to install Mongodb Charts on-premises version 19.12 but faced to the following issue apparently regarding ssl certificates but don’t know where is the problem and whether the issue is related to problem in web-certs or db-certs.

Here is my situation when following the Official Guide

I’m able to proceed to step 9 and run

docker stack deploy -c charts-docker-swarm-19.12.1.yml mongodb-charts

but Stitch server failed to start and reports: stitchServerRunning failure: Can't connect to Stitch Server at http://localhost:8080. Too many failed attempts. Last error: connect ECONNREFUSED 127.0.0.1:8080 .

And the Stitch startup logs using

docker exec -it $(docker container ls --filter name=_charts -q) cat /mongodb-charts/logs/stitch-startup.log

reads: error starting up servers: tls: private key does not match public key

Here are some more info:

  • The metadata database of Charts is located on the same Mongodb replica-set where the data exists.
  • The replica has 5 members (Mongodb version is 4.0.14) and is created across 3 different regions on the cloud.
  • Access to the replica is protected using ssl and x509 auth mechanism is enabled. The connection works fine using Nodejs Mongoose driver as well shell prompt and Studio3T utility.
  • The machine that hosts Mongodb Charts is able to successfully connect to the replica set using both sslcertificateauthorityfile and sslclientcertificatekeyfile parameters in its connection URI. The output of script that tests the connection string confirms this. (according to the output of Step 5) MongoDB connection URI successfully verified
  • On my replica set I can see that a new database named metadata is created by the Charts whenever I launch the container but the other databases are still missing: app, auth , events, hosting, log

I’m confused why the test connection script reports a valid URI and passes the ssl certificates to the replicaset properly but the main container fails to use it and discontinues the operation specially when the logs clearly shows that Mongodb is reachable and in practice I can see that it could add a new database to the replica successfully.

Any ideas/suggestions/thoughts would be greatly appreciated!
Thank you
-Omid

2 Likes
2

Hi Omid -

Sorry to hear you’re having problems - this does look like a tricky issue. Unfortunately I don’t know exactly what’s wrong, but I can give you some more info that may help.

First, I can tell you that this issue would be related to the DB Certs for X.509 auth, not the Web Certs which are used for the HTTPS setup. This is because Stitch doesn’t know or care about the web setup, so it must be failing as it tries to connect to the database.

As to why it’s failing to start after the URI was successfully validated, my guess is that this is due to some subtle difference in behaviour across drivers. For technical reasons, the verification process uses the Node.js driver, but Stitch uses the Go driver. I don’t know why the Go driver isn’t happy with your keys, but you might be able to do some more targeted searching with this info.

Let me know what you discover.
Tom

3

Hi @tomhollander
Thanks for your reply. I agree, most likely the problem is related to the Go driver. I’ll take a closer look at it and try to figure out how it treats the keys. I will come back to you.

-Omid

1 Like