I’ve been having a difficult time getting On-premise Charts working with SSL connection to a local MongoDB installation (not in Docker container). Every time I run it stitch fails. I initially had a self-signed cert and stitch complained about that. Then I decided to use a Let’s Encrypt issued cert, but now stitch says:
Addr: 172.17.0.1:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: x509: cannot validate certificate for 172.17.0.1 because it doesn’t contain any IP SANs
I don’t believe Let’s Encrypt does IP SAN, so self-signed would seem to be the way to go. I’ve followed all the steps many times and the only way I can get fully operational is to remove the SSL requirement from MongoDB.
What would be the best route as far as certs to make an On-premise Charts work? Any help would be appreciated. Thank you.
Hello Tom! Thanks for the reply. Sorry for the late reply I was trying to run thru things again to see if I can fix before replying, but no joy.
I have read most of the installation documentation a few times. I’ll admit I mostly get confused on the SSL part. It seems there might be a combination of connection-uri and cert file confusion on my part. Below are the various connection-uri I have tried (all get verified), and the stitch-startup.log output:
connection-uri:
docker run --rm quay.io/mongodb/charts:19.12.2 charts-cli test-connection 'mongodb://admin:password@172.17.0.1?ssl=true'
stitch ouput:
2021-02-22T00:48:33.633Z ERROR main_server server/main.go:88 error starting up servers: error parsing uri
I think I figured the above issue, it seems stitch wants a ‘/’ after the host.
connection-uri:
docker run --rm quay.io/mongodb/charts:19.12.2 charts-cli test-connection 'mongodb://admin:password@172.17.0.1/?ssl=true'
stitch ouput:
Addr: 172.17.0.1:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: x509: cannot validate certificate for 172.17.0.1 because it doesn't contain any IP SANs
I will try some more testing and read the docs again in the morning. Thanks.
OK. I’m not an expert in this area but I have made it work before. You may want to use a hostname instead of an IP (matching the value in the certificate) and use the Docker extra_hosts section if you need to force the name resolution.
Hi Tom! I finally got it! I feel a little foolish after figuring out the issue. I took your advice and used hostname instead as well as extra_hosts and it works. I feel a little foolish because doing that seems normal, but I got confused during the install when I read:
Charts interprets localhost as the Docker container Charts is running in. If the database is running on the same host as the Charts Docker container but not in Docker, it will not be reachable via mongodb://localhost. Instead, use one of the following URIs depending on your Docker version when creating the Docker secret in the command below:
Linux IP address of the docker0 interface. 172.17.0.1 by default.
“If the database is running on the same host as the Charts Docker container but not in Docker…”, I guess I read this the wrong way but I thought it meant if I have a database on a host (ubuntu server) and Charts Container on the same host(ubuntu server) that I would need to use the 172 address with the connection string and not the actual MongoDB deployment IP (or hostname). So now I use:
docker run --rm Quay charts-cli test-connection ‘mongodb://admin:password@db.mydomain.com/?ssl=true’
And everything works great. Sorry I wasted your time, but the wording really confused me. Thanks for all the help.