SSL peer certificate validation failed: self signed certificate

3,221 views
Skip to first unread message

Ranjeet singh

unread,
May 10, 2017, 1:17:31 PM5/10/17
to mongodb-user
Hello All,

I am trying to enable encryption  TLS/SSL across replica set nodes , But mongo client gets failed to connect and its give the following errors ...

C:\Program Files\MongoDB\Server\3.4\bin> mongo.exe --ssl --host XXXXXX --sslPEMKeyFile "E:\Data\Replica\mongodb-client\mongodb.pem"  --sslCAFile "E:\Data\Replica\mongodb-ca\ca.pem"
MongoDB shell version v3.4.2
connecting to: mongodb://XXXXXXX:27017/
2017-05-10T11:52:14.369-0400 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate
2017-05-10T11:52:14.369-0400 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:237:13
@(connect):1:6
exception: connect failed



I have followed the below steps to create the pem and certificate keys ...


# CA
openssl genrsa -out "E:\Data\Replica\mongodb-ca\ca.key" 2048
openssl req -x509 -new -key "E:\Data\Replica\mongodb-ca\ca.key" -days 10000 -out "E:\Data\Replica\mongodb-ca\ca.crt"


copy /b ca.key+ca.crt  ca.pem



# Server
openssl genrsa -out "E:\Data\Replica\mongodb-server\mongodb.key" 2048
openssl req -new -key "E:\Data\Replica\mongodb-server\mongodb.key" -out "E:\Data\Replica\mongodb-server\mongodb.csr"
openssl x509 -req -in "E:\Data\Replica\mongodb-server\mongodb.csr" -CA "E:\Data\Replica\mongodb-ca\ca.crt" -CAkey "E:\Data\Replica\mongodb-ca\ca.key" -CAcreateserial -out "E:\Data\Replica\mongodb-server\mongodb.crt" -days 365

copy /b mongodb.key+mongodb.crt  mongodb.pem



# Client
openssl genrsa -out "E:\Data\Replica\mongodb-client\mongodb.key" 2048
openssl req -new -key "E:\Data\Replica\mongodb-client\mongodb.key" -out "E:\Data\Replica\mongodb-client\mongodb.csr"
openssl x509 -req -in "E:\Data\Replica\mongodb-client\mongodb.csr" -CA "E:\Data\Replica\mongodb-ca\ca.crt" -CAkey "E:\Data\Replica\mongodb-ca\ca.key" -CAcreateserial -out "E:\Data\Replica\mongodb-client\mongodb.crt" -days 365


copy /b mongodb.key+mongodb.crt  mongodb.pem


After that start mongod ..


C:\Program Files\MongoDB\Server\3.4\bin>mongod.exe --config "E:\Data\config\mongod.cfg" --sslMode requireSSL --sslPEMKeyFile "E:\Data\Replica\mongodb-server\mongodb.pem"  --sslCAFile "E:\Data\Replica\mongodb-ca\ca.pem"



When start the mongo client , its not able to connect it and throw the following errors ..



C:\Program Files\MongoDB\Server\3.4\bin>mongo.exe --ssl --host XXXXXXXXXXX --sslPEMKeyFile "E:\Data\Replica\mongodb-client\mongodb.pem"
MongoDB shell version v3.4.2
connecting to: mongodb://XXXXXXXX:27017/
2017-05-10T13:06:08.657-0400 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate
2017-05-10T13:06:08.658-0400 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:237:13
@(connect):1:6
exception: connect failed




Logfiles : ==>

2017-05-10T11:51:30.907-0400 E NETWORK  [conn2] SSL peer certificate validation failed: self signed certificate
2017-05-10T11:51:30.907-0400 I -        [conn2] end connection XXXXXXX:51894 (1 connection now open)
2017-05-10T11:52:14.362-0400 I NETWORK  [thread1] connection accepted from XXXXXXXX:51936 #3 (1 connection now open)
2017-05-10T11:52:14.369-0400 I -        [conn3] end connection XXXXXXX:51936 (1 connection now open)
2017-05-10T11:52:29.749-0400 I NETWORK  [thread1] connection accepted from XXXXXX:51937 #4 (1 connection now open)
2017-05-10T11:52:29.755-0400 I NETWORK  [conn4] received client metadata from XXXXXXX:51937 conn4: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "3.4.2" }, os: { type: "Windows", name: "Microsoft Windows Server 2012", architecture: "x86_64", version: "6.2 (build 9200)" } }
2017-05-10T13:05:52.892-0400 I -        [conn4] end connectionXXXXXXXX:51937 (1 connection now open)
2017-05-10T13:06:08.652-0400 I NETWORK  [thread1] connection accepted from XXXXXXX:58950 #5 (1 connection now open)
2017-05-10T13:06:08.658-0400 I -        [conn5] end connection XXXXXXXX:58950 (1 connection now open)





Could you please let me know if i am missing anythings  , I would be appreciate if someone update if they come across with same issue.


Kevin Adistambha

unread,
May 17, 2017, 1:35:17 AM5/17/17
to mongodb-user

Hi Ranjeet,

The “self signed certificate” error generally occurs when you are connecting using a client without specifying the CA certificate in the client (--sslCAFile if using the mongo shell)

However, in your post, you seem to attempt to connect using the mongo shell twice, once with the --sslCAFile parameter, and once without. Could you confirm that both attempts resulted in the “self signed certificate” error?

For more information and tutorials on using SSL with MongoDB, please see:

Best regards,
Kevin

Reply all
Reply to author
Forward
0 new messages