fails to negociate SCRAM-SHA1

[Rafael Avila Martínez]

Hi everyone!!

This is my first time using this awesome lib and something really odd is happening in my application (akka-http). So here I go:

My application is a micro-service based on akka-http, the app consumes a API and the data that it fetched from it is saved validated and stored in mongo.

But when I run the micro-service I get the next error:

13:15:22.039 [default-akka.actor.default-dispatcher-4] INFO reactivemongo.api.MongoDriver - No mongo-async-driver configuration found

13:15:22.120 [default-akka.actor.default-dispatcher-6] INFO reactivemongo.api.MongoDriver - [Supervisor-1] Creating connection: Connection-2

13:15:22.131 [reactivemongo-akka.actor.default-dispatcher-4] DEBUG reactivemongo.api.MongoDriver - [Supervisor-1] Add connection to the supervisor: Connection-2

13:15:22.150 [default-akka.actor.default-dispatcher-6] DEBUG reactivemongo.api.Failover2 - [Supervisor-1/Connection-2] Waiting is available...

13:15:23.024 [reactivemongo-akka.actor.default-dispatcher-2] DEBUG reactivemongo.core.actors.MongoDBSystem - [Supervisor-1/Connection-2] The node set is available (Set(ds013172-a.mlab.com:13172, ds013172.mlab.com:13172)); Waiting authentication: Set()

13:15:23.114 [reactivemongo-akka.actor.default-dispatcher-3] DEBUG reactivemongo.core.actors.MongoDBSystem - AUTH: got challenge for channel -1745266098: ScramSha1Challenge(1)

13:15:23.220 [reactivemongo-akka.actor.default-dispatcher-3] ERROR reactivemongo.core.actors.MongoDBSystem - [Supervisor-1/Connection-2] Authentication failure

reactivemongo.core.commands.DefaultCommandError: BSONCommandError['fails to negociate SCRAM-SHA1: org.apache.commons.codec.digest.DigestUtils.sha1([B)[B']

at reactivemongo.core.commands.CommandError$.apply(commands.scala:149)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3$$anonfun$apply$16$$anonfun$apply$19.liftedTree1$1(authentication.scala:191)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3$$anonfun$apply$16$$anonfun$apply$19.apply(authentication.scala:160)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3$$anonfun$apply$16$$anonfun$apply$19.apply(authentication.scala:156)

at scala.util.Either$RightProjection.flatMap(Either.scala:522)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3$$anonfun$apply$16.apply(authentication.scala:156)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3$$anonfun$apply$16.apply(authentication.scala:152)

at scala.util.Either$RightProjection.flatMap(Either.scala:522)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3.apply(authentication.scala:152)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$3.apply(authentication.scala:149)

at scala.util.Either$RightProjection.flatMap(Either.scala:522)

at reactivemongo.core.commands.ScramSha1StartNegociation.<init>(authentication.scala:149)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6$$anonfun$apply$12.apply(authentication.scala:107)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6$$anonfun$apply$12.apply(authentication.scala:104)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1$$anonfun$apply$22.apply(actors.scala:769)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1$$anonfun$apply$22.apply(actors.scala:768)

at scala.Option.fold(Option.scala:158)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1.apply(actors.scala:768)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1.apply(actors.scala:767)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10$$anonfun$1.applyOrElse(nodeset.scala:113)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10$$anonfun$1.applyOrElse(nodeset.scala:112)

at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)

at reactivemongo.core.nodeset.utils.package$.update(nodeset.scala:58)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10.apply(nodeset.scala:112)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10.apply(nodeset.scala:111)

at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)

at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)

at scala.collection.Iterator$class.foreach(Iterator.scala:893)

at scala.collection.AbstractIterator.foreach(Iterator.scala:1336)

at scala.collection.IterableLike$class.foreach(IterableLike.scala:72)

at scala.collection.AbstractIterable.foreach(Iterable.scala:54)

at scala.collection.TraversableLike$class.map(TraversableLike.scala:234)

at scala.collection.AbstractTraversable.map(Traversable.scala:104)

at reactivemongo.core.nodeset.NodeSet.updateByChannelId(nodeset.scala:111)

at reactivemongo.core.nodeset.NodeSet.updateConnectionByChannelId(nodeset.scala:109)

at reactivemongo.core.actors.MongoDBSystem$class.whenAuthenticating(actors.scala:767)

at reactivemongo.core.actors.StandardDBSystem.whenAuthenticating(actors.scala:934)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6.apply(authentication.scala:104)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6.apply(authentication.scala:101)

at scala.util.Either.fold(Either.scala:99)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2.applyOrElse(authentication.scala:93)

at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170)

at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:171)

at akka.actor.Actor$class.aroundReceive(Actor.scala:484)

at reactivemongo.core.actors.StandardDBSystem.aroundReceive(actors.scala:934)

at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)

at akka.actor.ActorCell.invoke(ActorCell.scala:495)

at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)

at akka.dispatch.Mailbox.run(Mailbox.scala:224)

at akka.dispatch.Mailbox.exec(Mailbox.scala:234)

at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)

at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)

at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)

at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

13:15:23.302 [reactivemongo-akka.actor.default-dispatcher-3] DEBUG reactivemongo.core.actors.MongoDBSystem - AUTH: got challenge for channel -1745266098: ScramSha1Challenge(1)

13:15:23.303 [reactivemongo-akka.actor.default-dispatcher-3] ERROR reactivemongo.core.actors.MongoDBSystem - [Supervisor-1/Connection-2] Authentication failure

reactivemongo.core.commands.DefaultCommandError: BSONCommandError['invalid SCRAM-SHA1 random prefix']

at reactivemongo.core.commands.CommandError$.apply(commands.scala:149)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$2.apply(authentication.scala:150)

at reactivemongo.core.commands.ScramSha1StartNegociation$$anonfun$2.apply(authentication.scala:150)

at scala.Option.toRight(Option.scala:312)

at reactivemongo.core.commands.ScramSha1StartNegociation.<init>(authentication.scala:150)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6$$anonfun$apply$12.apply(authentication.scala:107)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6$$anonfun$apply$12.apply(authentication.scala:104)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1$$anonfun$apply$22.apply(actors.scala:769)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1$$anonfun$apply$22.apply(actors.scala:768)

at scala.Option.fold(Option.scala:158)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1.apply(actors.scala:768)

at reactivemongo.core.actors.MongoDBSystem$$anonfun$whenAuthenticating$1.apply(actors.scala:767)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10$$anonfun$1.applyOrElse(nodeset.scala:113)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10$$anonfun$1.applyOrElse(nodeset.scala:112)

at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36)

at reactivemongo.core.nodeset.utils.package$.update(nodeset.scala:58)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10.apply(nodeset.scala:112)

at reactivemongo.core.nodeset.NodeSet$$anonfun$10.apply(nodeset.scala:111)

at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)

at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)

at scala.collection.Iterator$class.foreach(Iterator.scala:893)

at scala.collection.AbstractIterator.foreach(Iterator.scala:1336)

at scala.collection.IterableLike$class.foreach(IterableLike.scala:72)

at scala.collection.AbstractIterable.foreach(Iterable.scala:54)

at scala.collection.TraversableLike$class.map(TraversableLike.scala:234)

at scala.collection.AbstractTraversable.map(Traversable.scala:104)

at reactivemongo.core.nodeset.NodeSet.updateByChannelId(nodeset.scala:111)

at reactivemongo.core.nodeset.NodeSet.updateConnectionByChannelId(nodeset.scala:109)

at reactivemongo.core.actors.MongoDBSystem$class.whenAuthenticating(actors.scala:767)

at reactivemongo.core.actors.StandardDBSystem.whenAuthenticating(actors.scala:934)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6.apply(authentication.scala:104)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2$$anonfun$applyOrElse$6.apply(authentication.scala:101)

at scala.util.Either.fold(Either.scala:99)

at reactivemongo.core.actors.MongoScramSha1Authentication$$anonfun$2.applyOrElse(authentication.scala:93)

at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170)

at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:171)

at akka.actor.Actor$class.aroundReceive(Actor.scala:484)

at reactivemongo.core.actors.StandardDBSystem.aroundReceive(actors.scala:934)

at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)

at akka.actor.ActorCell.invoke(ActorCell.scala:495)

at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)

at akka.dispatch.Mailbox.run(Mailbox.scala:224)

at akka.dispatch.Mailbox.exec(Mailbox.scala:234)

at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)

at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)

at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)

at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

And it goes on and on till I kill the process.

My connection code is 

def dbFromConnection(connection: MongoConnection): Future[BSONCollection] = {

    // define database and collection vals

    connection.database(database).map(_.collection(collection))

  }

  def connect = {

    // define all the vals used in url

    val driver = new MongoDriver

    val url: String = s"mongodb://$user:$password@$server/$database?authMode=scram-sha1&rm.tcpNoDelay=true"

    Future.fromTry(MongoConnection.parseURI(url)).map(driver.connection)

  }

And I use the connection like this

val future = connect

            .flatMap(dbFromConnection)

            .flatMap(/* use the collection */)

Hope this can help!

Best regards!

[Cédric Chantepie]

Hi, first need to make sure the DB is using SCRAM-SHA1 (legacy DB migrated from 2.6 to 3.x is let with MONGOCR).

[Rafael Avila Martínez]

justo to close this

The solution in my case was to use 0.11.0 version of reactive mongo.

Specifying authMode=scram-sha1 in mongo URI

[Cédric Chantepie]

0.12.0 is using SCRAM SHA1 by default

[Lanny Ripple]

Been fighting this myself.  I'm using ReactiveMongo 0.12.0 from Scala Play 2.5.5 against Mongolabs running a Mongo 2.6.9 instance.  I'm also using compile-time DI.  As near as I'm able to tell for the Play plugin the only thing supported is SCRAM-SHA1.  It's the default on MongoConnectionOptions() and the only configuration option supported is `mongodb.options.authMode = "scram-sha1"`.

If I'm missing something hopefully someone will comment.  At the moment it's back to 0.11.14.

  -ljr

[Cédric Chantepie]

ReactiveMongo 0.12 supports both SCRAMSHA1 and MONGOCR, but is defaulted to SCRAMSHA1 (contrary to 0.11.x) which is not supported by MongoDB 2.6.x, so you have to set the CR mode in the connection options as indicated in the documentation.

[Rafael Avila Martínez]

I did a lot of debugging of my project and found that other dependency was using apache common codecs lib but in an older version that v0.10 so I just excluded that version of apache common codecs (used for the auth negotiation) and then everything worked as expected. 

My mlab version is mongod version: 3.2.9 (MMAPv1)

and I am using reactivemongo with akka-http so I have no experience with play.

Maybe you can explore all the dependencies in order to check the apache commons codec lib version.

[Cédric Chantepie]

If there is a dependency conflict in the project using ReactiveMongo, there is nothing that can be done on the driver side (it's not planned to shade commons-codec for now).

[Lanny Ripple]

Please forgive me if I'm being dense here.  Wouldn't be the first time.

I examined the documentation originally which is why I didn't think this would be a problem.  When I try to use ReactiveMongo *from Play* it isn't working for me.  Code diving in Play-ReactiveMongo, src/main/scala/play/modules/reactivemongo/DefaultReactiveMongoApi.scala I find

185     configuration.getString("mongodb.options.authMode").foreach {

186       case "scram-sha1" =>

187         opts = opts.copy(authMode = ScramSha1Authentication)

188

189       case _ => ()

190     }

So the default is ScramSha1 and Play-ReactiveMongo seems to let you override that to set... ScramSha1Authentication but does not (seem to) allow for setting CrAuthentication.  Rolling an equivalent of DefaultReactiveMongo didn't seem straightforward.

Not sure if this is a bug or if I'm overlooking something.

[Cédric Chantepie]

It's from the parseLegacy code which is only used for deprecated (and no longer documented) legacy documentation, keeping the legacy behaviour.

As long as a valid config with connection URI is used, this is never used.

[Lanny Ripple]

Tricksy.  Thank you!