HostUnreachable: short read (ssl w/ CAFile)

461 views
Skip to first unread message

sallgeud

unread,
Nov 25, 2016, 6:09:54 PM11/25/16
to mongodb-user
If we set the CAFile setting when utilizing SSL, we get the error seen in the subject:

2016-11-25T16:57:16.784-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Connecting to server001.domain.us:27017
016-11-25T16:57:16.810-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Failed to connect to server001.domain.us:27017 - HostUnreachable: short read
2016-11-25T16:57:16.811-0600 I REPL     [ReplicationExecutor] Error in heartbeat request to server001.domain.us:27017; HostUnreachable: short read
2016-11-25T16:57:16.811-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Connecting to server001.domain.us:27017
2016-11-25T16:57:16.834-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Failed to connect to server001.domain.us:27017 - HostUnreachable: short read
2016-11-25T16:57:16.835-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] failed to close stream: Transport endpoint is not connected
2016-11-25T16:57:16.835-0600 I REPL     [ReplicationExecutor] Error in heartbeat request to server001.domain.us:27017; HostUnreachable: short read
2016-11-25T16:57:16.835-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Connecting to server001.domain.us:27017
2016-11-25T16:57:16.859-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] Failed to connect to server001.domain.us:27017 - HostUnreachable: short read
2016-11-25T16:57:16.859-0600 I REPL     [ReplicationExecutor] Error in heartbeat request to server001.domain.us:27017; HostUnreachable: short read
2016-11-25T16:57:16.859-0600 I ASIO     [NetworkInterfaceASIO-Replication-0] failed to close stream: Transport endpoint is not connected
2016-11-25T16:57:17.147-0600 E NETWORK  [conn62] SSL peer certificate validation failed: unsupported certificate purpose
2016-11-25T16:57:17.170-0600 E NETWORK  [conn63] SSL peer certificate validation failed: unsupported certificate purpose
2016-11-25T16:57:17.193-0600 E NETWORK  [conn64] SSL peer certificate validation failed: unsupported certificate purpose


Simply removing the CAFile fixed the issue. The ca.pem file we attached is the public key (only) version from our CA, which we run.

Andreas Nilsson

unread,
Nov 30, 2016, 4:07:25 PM11/30/16
to mongodb-user
Hi,

the error you are getting happens when the certificate usage restriction don't match up with how you are using the certificate.

I don't believe the CA file is the problem, but the actual client or server certificate. Removing the CA file simply means that peer certificates will not get validated and hence the error disappears.

Can you check the usage restrictions on the certificates by running:
openssl x509 -in certificate.pem -text

you should see a section 'X509v3 extensions:'

Regards,
Andreas
Reply all
Reply to author
Forward
0 new messages