MMS can't update - x509: certificate signed by unknown authority
1,107 views
Skip to first unread message
Kevin Blake
May 27, 2015, 7:34:52 AM5/27/15
to mongod...@googlegroups.com
When using SUSE Enterprise 11, I am getting the following errors in the MMS logs
| <Removed> | 05/27/15 - 12:24:33 | error | Backup Agent Manager | Error downloading new agent : <Backup Agent Manager> [12:24:33.800] Failed to download new agent at https://s3.amazonaws.com/mongodb-mms-build-agent/releases/prod/mongodb-mms-backup-agent-3.4.0.273-1.linux_x86_64.tar.gz : Get https://s3.amazonaws.com/mongodb-mms-build-agent/releases/prod/mongodb-mms-backup-agent-3.4.0.273-1.linux_x86_64.tar.gz: x509: certificate signed by unknown authority ( repeated 2 times ) | |
| <Removed> | 05/27/15 - 12:24:33 | error | Monitoring Agent Manager | Error downloading new agent : <Monitoring Agent Manager> [12:24:33.803] Failed to download new agent at https://s3.amazonaws.com/mongodb-mms-build-agent/releases/prod/mongodb-mms-monitoring-agent-3.3.0.183-1.linux_x86_64.tar.gz : Get https://s3.amazonaws.com/mongodb-mms-build-agent/releases/prod/mongodb-mms-monitoring-agent-3.3.0.183-1.linux_x86_64.tar.gz: x509: certificate signed by unknown authority ( repeated 2 times ) |
wget can download the file just fine...
I have already carried out the steps here:
Is there additional configuration I need to add to make SUSE work? (this isn't a problem on my other ubuntu hosts)
Many thanks,
Kevin.
Evgeniy Klemin
May 30, 2015, 12:30:46 PM5/30/15
to mongod...@googlegroups.com
Same problem in docker container based on official mongo image.
If specify sslTrustedMMSServerCertificate in config - don't work monitor agent (can't download), but if remove sslTrustedMMSServerCertificate - monitor agent download successful, but now get errors: "Error retrieving cluster config"
среда, 27 мая 2015 г., 14:34:52 UTC+3 пользователь Kevin Blake написал:
среда, 27 мая 2015 г., 14:34:52 UTC+3 пользователь Kevin Blake написал:
Kevin Blake
Jun 1, 2015, 7:25:29 AM6/1/15
to mongod...@googlegroups.com
Were you able to update the agent by removing the sslTrustedMMSServerCertificate configuration, and putting it back afterwards?
Евгений Клёмин
Jun 1, 2015, 7:36:24 AM6/1/15
to mongod...@googlegroups.com
I restart agent with mongod every time. But now seems all work, monitor agent downloaded without sslTrustedMMSServerCertificate option.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/004b7e39-0db3-4d1f-9e4d-9d0f6c69e703%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
For other MongoDB technical support options, see: http://www.mongodb.org/about/support/.
---
You received this message because you are subscribed to a topic in the Google Groups "mongodb-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mongodb-user/8IqDdS_B4Ck/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-user.
С уважением, Евгений Клёмин
Kevin Blake
Jun 18, 2015, 9:31:22 AM6/18/15
to mongod...@googlegroups.com
Thanks for the update... It doesn't seem to make a difference for me. The automation agent just can't be downloaded or updated. SUSE is looking to be quite a poor companion to mongodb, so far (at least if MMS is important).
Kevin Blake
Jun 19, 2015, 9:43:09 AM6/19/15
to mongod...@googlegroups.com
Peter Gravelle kindly helped me out with this from MongoDB support. As you can see, we should only really be using this having exhausted all other options (such as fixing the certificate store) - but for me, was the quickest option to get back and running.
Original message continues:
It turns out there is a workaround, although it does come with its own problems.
The root cause is this Golang issue. A workaround is to add the following line to your Automation Agent's configuration file:
sslRequireValidMMSServerCertificates=false
The consequence is that the Automation Agent will no longer verify MMS server certificates. The update will succeed, however.
Kambiz Shahim
Aug 6, 2015, 3:40:39 AM8/6/15
to mongodb-user
The problem is mongodb automation agent uses the provided certificate not only for verifying certification of MMS server but also for verifying certification of amazon AWS sever where the agent downloads the updates ( https://s3.amazonaws.com/mongodb-mms-build-agent ) and those server certification has different certification path. MMS root certificate authority is UTN-USERFirst-Hardware while amazon AWS is VeriSign Class 3 Public Primary Certification Authority - G5.
A simple workaround could be merging two certificate PEM file into one and use it as sslTrustedMMSServerCertificate of mondodb automation agent.
cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem > /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA_VeriSign_Class3_Root.pem
cat /etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_G5.pem >> /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA_VeriSign_Class3_Root.pem
sslTrustedMMSServerCertificate=/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA_VeriSign_Class3_Root.pem
Reply all
Reply to author
Forward
0 new messages