Info

Starting in the last week or two, the C Driver's mongo orchestration config has been unable to started a sharded cluster of replica sets with TLS enabled. Shard servers now seem to reject connections from other shard servers. They log: 2018-08-01T22:36:37.579+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56037 #12 (3 connections now open) 2018-08-01T22:36:37.584+0000 W NETWORK [conn12] SSL peer certificate validation failed: unsupported certificate purpose 2018-08-01T22:36:37.584+0000 I NETWORK [conn12] end connection 127.0.0.1:56037 (2 connections now open)

Top User Comments

jesse commented on Mon, 6 Aug 2018 19:26:39 +0000: Thanks Mark! No, none of our configurations pass --sslClusterFile, only --sslPEMKeyFile. I just realized what's really happening: until a change to our Evergreen config.yml on July 19, the C Driver had no variants executing our test task for a sharded cluster with auth and OpenSSL. We had messed up our tag selectors such that the test task was defined but never selected to run in any variant. I thought this was a server change, but our test config has been wrong for a long time or forever. mark.benvenuto commented on Mon, 6 Aug 2018 18:15:41 +0000: This is a bug in the certificate. The server has not changed any code on its side. I validated that using the server.pem cannot be used as a client certificate. I used the following server and ca file. https://github.com/mongodb/mongo-c-driver/blob/2f3878954915baf0c07b2e5d8a6e81964ca76e6c/src/libmongoc/tests/x509gen/server.pem https://github.com/mongodb/mongo-c-driver/blob/2f3878954915baf0c07b2e5d8a6e81964ca76e6c/src/libmongoc/tests/x509gen/ca.pem I used the shell to connect with this certificate. ./mongo --ssl --sslPEMKeyFile=server.pem --sslCAFile=ca.pem and the server logged the following error as expected: 2018-08-06T14:07:24.845-0400 E NETWORK [conn1] SSL peer certificate validation failed: unsupported certificate purpose 2 I validated this against 3.6.5 and 4.0.0. Did mongo-orchestration ever use --sslClusterFile? When the mongos/mongod is passed only --sslPEMKeyFile it uses that certificate for inbound and outbound communication. If it is passed --sslClusterFile, it will use --sslPEMKeyFile for inbound connections and use --sslClusterFile for making outbound connections. jesse commented on Mon, 6 Aug 2018 15:50:01 +0000: That's right, v4.1.1-224-gecb0b6c on Ubuntu 14.04. mark.benvenuto commented on Mon, 6 Aug 2018 15:35:44 +0000: Just want to confirm that the test environment is with MongoD 4.1 with OpenSSL running on Ubuntu 14.04?

Steps to Reproduce