OPERATIONAL DEFECT DATABASE
...
...
Connecting to a TLS Secured MongoDB remote instance from MacOSX 10.15.1 via the mongo shell fails with the following error: 2019-12-08T10:31:11.760+0100 D1 NETWORK [main] Client Certificate Name: CN=client,O=Company,ST=Germany,C=DE MongoDB shell version v4.2.0 connecting to: mongodb://localhost:27017/mongo?authSource=admin&compressors=disabled&gssapiServiceName=mongodb 2019-12-08T10:31:11.798+0100 D1 NETWORK [js] creating new connection to:localhost:27017 2019-12-08T10:31:11.997+0100 D1 - [js] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 116 2019-12-08T10:31:12.023+0100 E NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected 2019-12-08T10:31:12.023+0100 D1 - [js] User Assertion: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/transport/session_asio.h 251 2019-12-08T10:31:12.023+0100 D1 - [js] User Assertion: InternalError: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected src/mongo/scripting/mozjs/mongo.cpp 832 2019-12-08T10:31:12.023+0100 E QUERY [js] Error: couldn't connect to server localhost:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_CERT_SUSPENDED; connection rejected : connect@src/mongo/shell/mongo.js:341:17 @(connect):2:6 2019-12-08T10:31:12.023+0100 D1 - [js] User Assertion: Location12513: connect failed src/mongo/shell/shell_utils.cpp 416 2019-12-08T10:31:12.023+0100 I QUERY [js] MozJS GC prologue heap stats - total: 4033838 limit: 0 2019-12-08T10:31:12.026+0100 I QUERY [js] MozJS GC epilogue heap stats - total: 14 limit: 0 2019-12-08T10:31:12.026+0100 D1 - [main] User Assertion: Location12513: connect failed src/mongo/scripting/mozjs/proxyscope.cpp 320 2019-12-08T10:31:12.026+0100 F - [main] exception: connect failed 2019-12-08T10:31:12.026+0100 E - [main] exiting with code 1 This is the redacted command used: `mongo --host $HOSTNAME --port $PORT --username $USER --password $PASSWORD --authenticationDatabase admin --tls --tlsCertificateKeyFile $CLIENTKEY --tlsCAFile $CA_CERTIFICATE` The connection works with the same parameters when executed directly on the Ubuntu 18.04 server. It works as well when specifying the exact same certificates and authentication details using Compass running on MacOS. Downgrading to mongo v3.6.14 and using --ssl, --sslPEMKeyFile and --sslCAFile in place of the respective tls flags works as well.
spencer.jackson@10gen.com commented on Tue, 21 Jan 2020 14:14:15 +0000: Got it, thanks jascha.brinkmann+mongodb@gmail.com! Because we believe we have a solution, I'm going to resolve this ticket. If your subsequent reproduction demonstrates this isn't the case, please feel free to re-open. hello@growtheme.com commented on Tue, 21 Jan 2020 09:08:12 +0000: I can't test with a shorter SSL certificate validity right now, but I can confirm that the server certificate has a validity of 10 years so this is very likely the culprit. spencer.jackson@10gen.com commented on Tue, 14 Jan 2020 00:56:26 +0000: Hi jascha.brinkmann+mongodb@gmail.com, was Andrey's advice applicable to your situation? andrey.brindeyev commented on Sat, 21 Dec 2019 21:12:55 +0000: jascha.brinkmann+mongodb@gmail.com, it seems that your MongoDB Server SSL certificate is no longer acceptable by macOS Catalina. You will find additional information here: https://support.apple.com/en-us/HT210176. Let us know if that resolves your issue. What helped me is to limit SSL certificate's validity to 824 days. jascha.brinkmann+mongodb@gmail.com commented on Tue, 17 Dec 2019 19:21:58 +0000: Hey Daniel, thanks for your reply. I tried on a different Mac using same certificates, host, password and mongo shell version 4.2.2 but running macOS 10.14.6 and it worked without any issue. I then updated the same Mac to macOS Catalina 10.15.1 and tried once more without changing anything else and it failed with the exact error already described above. So I can confirm that this is happening on two different computers which run macOS Catalina 10.15.1 I would suggest that you try it for yourself on macOS 10.15.1 and see if you can confirm this as well. daniel.hatcher commented on Fri, 13 Dec 2019 21:23:54 +0000: Thank you for the report. Do you have the opportunity to test your configuration on a different operating system? I was not able to reproduce on macOS 10.14.5 but we'd like to see if the problem is at the OS level. jascha.brinkmann+mongodb@gmail.com commented on Sun, 8 Dec 2019 10:00:05 +0000: Somebody else reporting the same issue and coming up with the same solution of downgrading the mongo shell: https://stackoverflow.com/questions/56843107/how-to-fix-ssl-error-cssmerr-tp-verify-action-failed-in-mongo
Set up a TLS secured MongoDB Cluster that verifies both client and server certificates. Try connecting with mongo shell 4.2.0 from MacOSX 10.15.1
Click on a version to see all relevant bugs
MongoDB Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
