Info

We're running v3.2.7 in three member replica configuration. The config uses IPs instead of hostnames, e.g.: rs.conf() { "_id" : "eusbg1", "version" : 4, "protocolVersion" : NumberLong(1), "members" : [ { "_id" : 0, "host" : "167.114.255.189:27017", "arbiterOnly" : false, "buildIndexes" : true, "hidden" : false, "priority" : 1, "tags" : { }, "slaveDelay" : NumberLong(0), "votes" : 1 }, ... The config on one of the nodes is as following: ... net: port: 27017 ssl: mode: allowSSL PEMKeyFile: /etc/mongod/member.pem CAFile: /etc/mongod/ca.pem ... When trying to connect to this member via mongo --ssl --sslCAFile ca.pem --host 4.4.4.4 admin -u user -p We get the following error: The server certificate does not match the host name 4.4.4.4 The certificate is configured as follows: Certificate: Data: Version: 3 (0x2) Serial Number: 3d:11:10:7d:d8:0c:82:ba:a2:01:f5:d8:a9:26:3a:29:9e:88:10:04 Signature Algorithm: sha256WithRSAEncryption Issuer: C=SK, ST=SK, L=Bratislava, CN=* Validity Not Before: Jun 13 15:22:00 2016 GMT Not After : May 20 15:22:00 2116 GMT Subject: C=SK, ST=SK, L=Bratislava, CN=* ... It appears that mongo client should connect without any issues since the CN=*, but mongo client throws an error about invalid hostname.

Top User Comments

ceecko@gmail.com commented on Wed, 15 Jun 2016 15:17:23 +0000: No problem. Thanks for the info. andreas.nilsson@10gen.com commented on Wed, 15 Jun 2016 15:00:05 +0000: Hi, apologies it looks like you are right, SAN IP addresses are not supported n our current TLS stack. I have filed SERVER-24591. In the meantime you could try to put the IP address as a DNS name in the SAN, it's a possible workaround. Thanks, Andreas ceecko@gmail.com commented on Tue, 14 Jun 2016 11:25:27 +0000: The problem appears to be in SAN. This certificate works fine (CN=*.my.dev, no SAN): Certificate: Data: Version: 3 (0x2) Serial Number: 61:19:da:c5:20:c5:d2:b1:3b:36:55:8d:2e:f2:0d:6a:b4:68:89:3a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=San Francisco, CN=example.net Validity Not Before: Jun 14 11:16:00 2016 GMT Not After : Jun 14 11:16:00 2017 GMT Subject: C=US, ST=CA, L=San Francisco, CN=*.my.dev Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c1:cd:d2:b1:fb:f6:8a:30:ce:29:a8:95:cf:44: f3:d0:35:56:e4:4e:a7:23:bf:2d:1b:f1:91:4e:7b: 4e:c5:40:1c:e8:4e:05:73:76:99:b1:70:e6:a4:6e: bb:1b:71:16:75:9f:3e:c4:27:eb:f0:95:cc:f8:10: c9:2b:0f:14:a9:e0:83:75:f9:37:04:17:22:5d:c0: c8:a3:de:7f:1b:00:b7:45:f4:91:05:8e:bd:94:d8: 52:0a:b5:9a:fd:ee:80:58:ed:45:fe:43:33:bd:e4: 1f:67:0f:03:0e:5d:fd:ff:0b:42:e3:9f:2a:c9:27: 8c:64:5c:e9:e6:23:8f:15:31:60:4e:85:b1:2a:6a: 5a:73:74:15:cb:71:9a:3a:27:20:62:34:e1:f8:01: c5:4f:4c:46:39:a3:d2:1a:c7:2b:30:ed:d2:0a:5d: b9:84:9a:76:a6:b5:47:fb:fc:9d:53:b0:9d:d7:e7: a2:ab:fc:83:bc:79:ea:15:49:e4:46:d9:47:f5:07: fd:ad:c1:25:ca:ff:19:4f:72:b1:c9:fa:f1:aa:2d: e4:88:c9:e7:36:c5:76:67:44:08:42:5f:81:2b:db: a3:67:c6:f8:8f:2b:bc:9c:55:fe:b8:3a:1f:2c:f1: d2:b8:8c:a1:12:38:7e:00:6a:3a:e3:d2:04:fd:9d: 09:e7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 04:90:37:27:DF:6D:1A:CF:C3:F9:B6:79:2C:4C:F6:67:B6:A0:FF:55 X509v3 Authority Key Identifier: keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF Signature Algorithm: sha256WithRSAEncryption 8a:b4:b5:6e:47:89:36:c7:e0:5e:fc:cb:39:6e:e1:f2:72:81: 35:e4:1f:bf:3e:60:cb:f4:cb:9f:45:6f:e1:dd:91:ec:5c:28: 78:75:68:35:cd:92:03:59:b6:da:63:05:56:78:71:3f:59:cc: 9a:8f:76:97:4a:bf:e0:f5:81:f7:f7:2d:af:6e:ea:37:e4:87: cb:39:ac:6c:17:1e:88:e5:8f:1a:79:21:f0:b4:eb:3a:bc:e5: 10:40:89:02:f6:f0:17:a3:00:9a:83:67:17:ca:74:88:65:06: f8:b5:d1:0e:78:5f:6c:bd:c6:45:81:51:d0:07:d3:fb:da:28: b6:c8:6a:c9:5a:81:42:55:01:23:e2:19:84:41:6d:d6:7e:de: 05:6d:e5:fe:58:92:d6:bb:de:a6:17:a4:a9:bb:0a:b3:e1:6b: 5f:61:ff:3a:87:eb:19:6c:e7:60:75:d2:02:b0:0a:ca:5f:5f: 1a:58:57:e0:78:ab:02:1b:e6:32:31:dc:20:63:9e:88:2b:68: 11:74:ae:61:0e:58:32:c1:d9:1e:c1:6f:cb:37:06:65:bf:24: e0:70:54:be:5a:da:5d:de:de:f7:5d:84:ca:dd:76:c0:58:1a: 3c:bf:68:a0:eb:b9:9f:06:9e:51:a7:4b:96:f4:58:09:ee:cd: d8:45:2e:bd While this (CN=*.my.dev, SAN=127.0.0.1) does not work and throws invalid hostname error: Certificate: Data: Version: 3 (0x2) Serial Number: 60:20:f2:35:39:d1:2d:ab:2b:1f:6b:b6:6c:d6:d7:9e:dc:07:fe:45 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=San Francisco, CN=example.net Validity Not Before: Jun 14 11:16:00 2016 GMT Not After : Jun 14 11:16:00 2017 GMT Subject: C=US, ST=CA, L=San Francisco, CN=*.my.dev Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f8:5b:ab:9a:34:ca:87:2b:ab:a1:41:47:47:83: ff:9f:99:3d:7e:4f:29:79:0e:15:41:74:bc:aa:6c: 49:75:c8:3e:7c:33:d7:7d:68:33:24:dd:f9:b4:f1: 21:af:5b:5e:67:8f:e6:6f:d0:92:a6:8b:57:8b:2a: 36:6e:45:19:aa:4e:ca:c0:ab:e1:54:cb:75:a8:55: 90:a3:fa:7b:78:f9:2c:39:9e:85:f8:5e:bc:8c:fc: d2:84:9f:b3:56:4b:fc:40:5b:f1:48:58:05:3d:d4: 0b:04:0f:c3:7b:d5:57:5c:35:65:86:96:fb:25:7d: 47:f0:be:9b:c0:ac:64:81:dc:95:ba:c1:8a:66:33: 44:3d:f5:da:19:94:aa:ab:7d:6b:81:b8:aa:fe:bd: aa:f3:e3:e9:eb:cc:95:64:be:4b:52:c7:b6:bd:48: d2:f6:9b:33:c9:a7:27:5c:c0:37:9f:4c:4a:0f:42: 52:1b:50:92:f5:9a:ee:dd:12:c1:17:1b:55:7f:76: 78:28:1f:85:85:3a:40:ec:b9:1a:c8:6c:e8:7a:43: 2e:3a:e9:ca:5d:89:d7:7e:f2:b9:b2:45:5b:f2:86: bd:20:74:b0:88:24:54:bd:2a:e5:9d:41:59:2d:61: c5:16:c5:59:c9:40:f6:f4:57:d5:42:18:c3:88:a2: b4:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: A7:E1:A6:A5:43:87:F4:43:B2:44:36:F0:B7:EA:3B:54:95:A4:43:14 X509v3 Authority Key Identifier: keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF X509v3 Subject Alternative Name: IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 00:1d:f5:df:95:5c:9d:af:11:87:ba:29:a9:67:26:76:c1:23: 8a:84:e5:b0:4f:2e:82:4f:32:b9:2b:23:9c:fa:a1:cb:bd:f6: e9:cc:c8:16:20:d6:c1:4c:6c:59:da:36:d8:47:75:e0:b9:7e: 2d:30:81:5c:b3:23:81:94:cc:bc:84:48:b5:63:b4:97:bc:fc: 46:69:44:c2:69:5c:06:0a:68:33:1e:ae:8e:98:4f:c1:b6:f3: 16:78:db:cb:4a:0f:e0:e3:d0:4e:a5:f9:58:86:90:f7:e0:46: 9c:14:f5:45:6c:36:f7:45:68:9c:62:92:a7:e6:21:13:c5:ad: ad:71:08:cf:2a:68:24:19:5b:15:ec:8b:1d:6e:4b:5b:d9:0e: cb:6f:99:4f:fc:98:7a:73:16:16:06:cc:33:d6:4c:62:db:2b: 95:fc:86:8a:fe:cf:75:f9:ec:26:49:e1:38:e2:e2:a5:b0:fe: c2:6c:dd:83:d5:d3:cc:3b:4b:10:26:97:a3:28:2c:c6:d0:b6: 92:24:c1:70:24:98:c1:13:a3:d3:0b:c6:09:35:16:39:a1:2f: b3:95:b4:7d:3e:23:74:aa:26:28:56:4f:9e:5d:a0:75:19:22: c0:e4:3e:ad:ff:f9:52:0b:ce:86:d5:5d:e6:61:80:0b:52:19: 52:b5:b1:77 ceecko@gmail.com commented on Tue, 14 Jun 2016 09:56:13 +0000: There seems to be an issue with the IPs being used instead of hostnames. I have tried the following two certificates: root@fec8b0301c6f:/go/tmp# openssl x509 -in member2.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 67:e1:e4:ae:04:4e:0c:ea:de:da:e1:11:87:1e:c5:ea:8b:3f:b8:99 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=San Francisco, CN=example.net Validity Not Before: Jun 14 09:23:00 2016 GMT Not After : Jun 14 09:23:00 2017 GMT Subject: C=US, ST=CA, L=San Francisco, CN=127.0.0.1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d7:48:2d:11:2d:56:b5:f2:e0:2a:9b:7b:f4:ba: d9:99:81:f7:de:c9:c4:bc:2c:9b:58:32:54:5d:bb: 3c:cb:9b:58:80:cc:2a:09:41:b2:06:d1:6a:97:5e: 6c:4f:5c:49:b5:2a:d3:26:5e:ad:08:49:a6:ad:66: f3:41:47:21:8e:f4:1f:4b:e2:5a:ba:4d:5a:08:94: c5:6f:6f:f6:06:1e:44:1c:6e:00:3a:0f:fe:a6:14: 66:13:fd:d2:67:ac:fe:fc:d5:60:98:9e:4b:e9:16: 3a:bb:d5:c7:b9:65:29:27:a8:26:c0:94:c3:65:3b: 3f:cf:92:6c:29:d1:96:0c:60:6d:f4:4b:08:93:1f: 8f:b8:d6:d6:c9:f2:3d:0f:00:fb:1e:be:e9:df:7e: 1c:ac:5e:b5:79:1a:a2:7b:e3:89:c4:cd:f2:00:ca: ad:34:7d:d1:c0:ad:f2:82:68:35:8f:b4:de:3c:fd: 60:4d:23:2b:a7:12:34:72:9c:e7:07:9f:d3:bf:9d: 53:36:6b:81:31:28:95:54:36:09:da:3b:b6:46:43: 0e:6b:48:e6:f2:04:dd:fc:50:3e:bb:dd:68:8a:40: 84:17:74:c8:a4:c0:f9:12:ff:40:68:f5:6b:13:d7: f7:73:f0:58:07:41:eb:e0:ec:11:5d:84:91:a1:28: 13:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 04:77:D7:DA:B9:17:8C:68:B7:CE:4E:83:C9:EF:B7:99:F3:BD:C7:BE X509v3 Authority Key Identifier: keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF X509v3 Subject Alternative Name: IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 23:fe:95:c0:3f:57:61:43:2d:95:72:3e:29:80:80:50:e2:d9: 4c:bb:b5:52:1f:84:3e:b8:b3:f9:be:38:4c:f7:98:06:f7:28: bb:1b:ab:6c:0a:ff:5a:de:32:28:98:e3:e2:b0:5f:bb:64:33: 9d:7b:d8:a8:10:2a:f6:05:78:6e:fa:2b:cf:06:0a:8f:b5:fc: a3:34:ee:fe:a8:cb:4d:9d:48:25:4f:4e:ad:e3:46:da:d0:e4: f5:72:c6:af:8a:0d:bf:1c:b4:0c:7b:04:c7:30:59:27:7d:9e: eb:6f:4b:4b:85:ac:5a:04:b4:dd:98:40:e8:a7:7f:18:82:8c: 75:a5:90:74:7b:24:7f:b7:b4:e4:48:0d:27:d8:c6:49:90:77: 7c:70:cf:bb:7a:18:9b:f4:5a:e9:91:8e:03:b0:6a:04:2e:79: 8d:ec:87:e0:50:13:73:a6:46:3d:3e:4c:2a:d9:86:4d:3b:06: 00:cd:f1:ab:f6:96:4f:d7:08:f3:58:04:34:a5:93:97:eb:7a: ff:0a:bd:28:54:ba:ee:79:1a:23:15:64:ea:12:9e:e8:3b:76: 6d:1b:18:df:1d:71:d7:bd:4d:b5:8a:de:f6:16:90:1f:c1:04: ac:fa:db:f1:ce:5f:05:85:ca:31:9d:c3:6d:be:ea:1a:7f:2a: 40:1d:6f:78 root@fec8b0301c6f:/go/tmp# openssl x509 -in member.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5a:24:7f:b6:9a:e5:32:cb:00:e8:d2:03:56:a9:a1:b8:a0:00:26:34 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=San Francisco, CN=example.net Validity Not Before: Jun 14 09:16:00 2016 GMT Not After : Jun 14 09:16:00 2017 GMT Subject: C=US, ST=CA, L=San Francisco, CN=example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:e0:1e:7a:c4:d0:60:08:c3:47:59:ef:d7:f3: 59:e1:05:24:ab:4b:d9:64:03:5c:28:56:98:9f:68: 9c:96:7a:78:36:ab:57:07:36:0f:62:7f:12:19:1e: 78:00:04:04:bc:a6:33:44:10:12:5b:b8:cb:fa:ca: 5b:b0:62:35:78:04:26:86:f8:be:a8:40:f8:5e:50: aa:98:5a:99:20:8c:94:80:61:ed:e1:80:c0:ac:5b: e0:17:1e:64:b1:f6:c1:49:f7:5e:1e:34:52:5e:86: 50:a3:c1:72:4e:41:56:a2:6d:68:12:be:22:9b:6e: 3d:f4:42:50:2d:3c:c4:f4:42:a4:00:b9:87:48:e1: 51:ec:f4:d0:a5:73:02:49:f5:6a:1a:a2:a7:f1:d6: 30:af:a5:ea:2d:25:d8:5f:ad:0c:b0:fd:10:1f:b4: fc:ae:a5:4e:cd:cd:09:d5:00:61:c1:df:cf:55:e1: 0b:fc:d3:4c:98:9e:81:92:f1:b7:73:ff:f6:44:d6: c1:48:38:ec:94:05:bf:70:2e:91:b8:9c:72:bf:d0: 1f:cb:ce:70:5a:a2:df:1c:6b:55:b7:60:0b:6e:23: fa:f1:e1:42:b1:d4:e4:ec:72:d0:8d:75:c7:79:f1: a3:cc:c5:5e:32:98:d3:68:f8:2f:41:95:9a:33:06: 2e:99 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 73:E1:D1:69:1D:90:E2:53:1A:C2:26:7B:95:2F:6B:E6:2E:1A:4A:DF X509v3 Authority Key Identifier: keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF X509v3 Subject Alternative Name: IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 4d:63:d1:d3:75:02:ad:ec:aa:33:9a:d4:63:3e:d2:a0:b6:fe: a4:58:84:22:e0:aa:94:c1:1a:62:79:59:ee:ce:79:0e:cc:f6: 78:63:64:dd:57:81:07:61:92:82:15:99:74:c9:9e:81:12:a6: a2:aa:13:2e:79:14:83:f2:1f:98:43:00:aa:04:7d:29:8a:ba: d8:d5:41:59:6f:6f:e4:f4:41:ef:95:dc:12:a2:e8:60:0b:19: cd:0f:46:1c:31:b0:d1:80:90:76:46:c1:2a:0d:aa:74:b8:fa: 07:f8:31:b4:99:d9:55:79:91:5c:b6:f0:73:e2:eb:d9:02:77: 9f:4e:f2:21:19:53:39:a2:c1:5e:d9:9f:e1:39:0d:9c:e5:5b: d1:87:d5:58:93:31:ed:72:e4:39:ba:b2:ef:29:1e:ef:14:27: 16:96:43:93:5d:e4:91:e2:26:61:bf:dc:b7:d4:bd:5c:70:7b: 2e:65:04:ee:41:24:d1:bf:8e:c8:09:6d:5e:e1:3a:38:b4:e6: f4:4e:b8:b2:8e:c4:e9:cb:62:99:14:b5:3a:7f:f9:19:a7:b4: e8:14:a8:12:e5:b8:5a:29:ef:be:ab:cb:69:54:e0:bd:8b:f7: f9:4f:0a:40:0c:f4:a5:9c:1b:fa:9c:5a:e3:17:78:74:a6:22: ea:e5:68:82 Used this command to start MongoDB: mongod --sslAllowConnectionsWithoutCertificates --sslAllowInvalidHostnames --sslMode allowSSL --sslPEMKeyFile D:\apps\member.pem --sslCAFile D:\apps\ca.pem And this to connect: mongo --ssl --sslCAFile D:\apps\ca.pem 127.0.0.1 But still get error about invalid hostname E NETWORK [thread1] The server certificate does not match the host name 127.0.0.1 Using --sslAllowInvalidHostnames with mongo client helps, but still shows a warning that the hostname does not match. W NETWORK [thread1] The server certificate does not match the host name 127.0.0.1 andreas.nilsson@10gen.com commented on Mon, 13 Jun 2016 21:34:43 +0000: Ok, you can also try to set another CN that technically valid according to the spec together with the IP address. Good luck! ceecko@gmail.com commented on Mon, 13 Jun 2016 21:31:44 +0000: Thank you andreas.nilsson for your reply. The IP address has been in the SAN field of the certificate and it threw the error either way. We'll try the --sslAllowInvalidHostnames though. ramon.fernandez commented on Mon, 13 Jun 2016 17:22:22 +0000: ceecko@gmail.com, as per Andreas' explanation it seems there's no bug in the server, so I'm going to close this ticket since the SERVER project is for reporting bugs or feature suggestions for MongoDB. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag, where your question will reach a larger audience. A question like this involving more discussion would be best posted on the mongodb-user group. See also our Technical Support page for additional support resources. Thanks, Ramón. andreas.nilsson@10gen.com commented on Mon, 13 Jun 2016 17:11:09 +0000: Hi, Using a wildcard CN=* is not supported in SSL/TLS certificates per the standard, you will need to use *.mydomain.tld. If your organization doesn't care about hostname matching you can also start the server with the flag --sslAllowInvalidHostnames which is semantically equivalent to using CN=*. If you want to use IP addresses for hostname matching I would recommend adding them to the SAN field of the certificate. Kind regards, Andreas Nilsson

Steps to Reproduce