SSL routines:tls_process_server_certificate:certificate verify failed when trying to connect to MongoDB Atlas

[quatrix]

(This might happen when just using tls, but specifically for me it happens when connecting to MongoDB Atlas)

client = Mongoc.Client("mongodb+srv://username:[email protected]/db")
Mongoc.ping(client)

results in

ERROR: BSONError: domain=15, code=13053, message=No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'example-shard-00-00.xgnce.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'example-shard-00-01.xgnce.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate

after some debugging, it seems like the OpenSSL artifact that Mongoc uses doesn't come with certificates. specifying the certificate dir via env variable seems to solve the issue

export SSL_CERT_DIR=/etc/ssl/certs/

but it's kind of not intuitive.

I guess it should either use the system certificates by default, or at least raise some error when it can't find any.

[felipenoris]

@quatrix thanks for reporting! Can you check if the same error happens on version 0.4.2 of this package?

[quatrix]

@felipenoris thanks for the quick reply!

yes, same error with 0.4.2

(@v1.4) pkg> status
Status `~/.julia/environments/v1.4/Project.toml`
  [4fe8b98c] Mongoc v0.4.2
  [458c3c95] OpenSSL_jll v1.1.1+3

[extradosages]

I can confirm that this is a problem for us as well.

[extradosages]

Heads-up, the fix of manually setting SSL_CERT_DIR=/etc/ssl/certs/ Seems to be getting in the way of some of Julia's package-repository API (i.e. Pkg). Needing to use Mongoc to connect to Atlas and also needing to add certain updated packages has thus become untenable. There might be a second-order fix, but I don't really know anything about SSL so I can't help out there.

[ancapdev]

I found you can configure this in the connection string with the tlsCAFile option, e.g.,

Mongoc.Client("<base_url>?tlsCAFile=/etc/ssl/certs/ca-certificates.crt")

SSL_CERT_FILE environment variable also works, but I'm not sure if that interferes with the Julia package manager same as SSL_CERT_DIR.

[peteristhegreat]

This worked perfectly for me. Thanks @ancapdev for posting.

For example on a Mac setup with julia...

$ brew install openssl
$ ls /usr/local/etc/openssl/cert.pem
$ julia
] add Mongoc
julia> using Mongoc
julia> suffix = "&tlsCAFile=/usr/local/etc/openssl/cert.pem" # or use "?tlsCAFile=" if you don't have any other params already
julia> mongo_uri = "mongodb://myDBReader:D1fficultP%[email protected]:27017/?authSource=admin"
julia> client = Mongoc.Client(mongo_uri*suffix)
julia> collect(Mongoc.find_databases(client))

Additional references:

• https://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x
• https://pymongo.readthedocs.io/en/3.5.1/examples/tls.html

Also solves the similar ticket:

• https://github.com/felipenoris/Mongoc.jl/issues/56

[ResRipper]

I also had a similar issue while trying to connect to Azure Cosmos DB on macOS Monterey, with Mongoc v0.8.0:

ERROR: BSONError: domain=15, code=13053, message=No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling hello on '<db>.mongo.cosmos.azure.com:10255']

The CA cert file on Monterey seems to have moved over to /etc/ssl/cert.pem, so you need to use export SSL_CERT_FILE=/etc/ssl/cert.pem on Monterey in able to get it to work.

[edyu]

Still same problem using WSL2. The workarounds don't work. The following is from Mongoc.ping(client) Also when adding to the end of URI:

2023/05/04 11:48:30.0792: [64689]:  WARNING:       mongoc: Unsupported URI option "tlsCAFile"
2023/05/04 11:48:30.0839: [64689]:  WARNING:       mongoc: Cannot override URI option "authSource" from TXT record "authSource=admin"

ERROR: BSONError: domain=15, code=13053, message=No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'ac-kvpxb02-shard-00-02.bpkvi0i.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'ac-kvpxb02-shard-00-01.bpkvi0i.mongodb.net:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:cer

[edyu]

Ok. I do need to export the environment variable instead of passing via the URI.

[edyu]

I found you can configure this in the connection string with the tlsCAFile option, e.g.,

Mongoc.Client("<base_url>?tlsCAFile=/etc/ssl/certs/ca-certificates.crt")

SSL_CERT_FILE environment variable also works, but I'm not sure if that interferes with the Julia package manager same as SSL_CERT_DIR.

I found that I cannot pass it via URI but can do so via environment variable as of 0.9.0

[cpfiffer]

For folks running into this issue, I was able to address this within Julia by adding

ENV["SSL_CERT_DIR"] = "/etc/ssl/certs/"

to my code. Alternatively, setting the environment variable as normal works:

SSL_CERT_DIR=/etc/ssl/certs/ julia

[felipenoris]

Anything worth mentioning in the docs about this issue?

[cpfiffer]

Maybe -- I'm not sure exactly what I'd say there since I don't quite understand the problem here. What certificates are used if not the ones in /etc/ssl/certs?