I am using Nginx as a reverse proxy server for MongoDB (deployed in docker) using TCP Streams. Using Nginx also helps me to easily configure SSL certificates obtained from Let's encrypt. Everything is working fine but suddenly I started seeing certificate validation issues across multiple apps when nothing is changed. All my python apps failed by throwing CERTIFICATE_VERIFY_FAILED errors. I can't even connect to the database using the Mongo compass tool via SSL at the same time. MongoDB compass showing as certificate expired. But, I am sure that the certificate is still not expired. I am using the requests 2.3.0 library in python and when I upgrade the requests library the python apps are working but still, the Mongo compass is not connecting. Note that my python apps get/post data to other APIs which are again behind Nginx using SSL certificate issued by Let's encrypt. In python the error occurred whenever it tries to validate the SSL either for db connection or for interesting with other API.
Has any one faced this issue? Can you give any suggestions on the root causes for these errors?
Related
I am creating a Linked Service to connect to BigQuery with Service Account authentication and p12 file has already been placed in IR VM directory.
Receiving following error:
ERROR [HY000] [Microsoft][DriverSupport] (1160) Cannot enable SSL for the connection when connecting to a server that has not enabled SSL. If the server has SSL enabled, please check if it has been configured to use a SSL protocol version that is lower than what is allowed for the connection. The minimum SSL protocol version allowed for the connection is: TLS 1.2.
But when i place p12 file in another IR VM, linked service is working correctly.
Tried to check TLS version in both VM's and everything looks same.
Please suggest ways to check SSL and TLS version in VM's and how to resolve this issue.
Based on the error message it seems the issue might be w.r.t SSL certificate so 1st step would be to compare the SSL/TLS across both the servers
In case if they are same, would suggest to monitor the traffic across both the server when trying to access GCP Big Query.
You might get the exact cause of failure which can be like :
Firewall blockage
some missing set up like Big query need Google_base set up as a signature
etc.
You could create a PowerShell script that checks the TLS & SSL registry entries mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Even if after enabling TLS/SSL settings the same issue arises then please try re-installing IR in the VM
For the past few days, we've been getting errors during a daily pipeline run. The errors are similar to this:
Message:Failure happened on 'Source' side.
ErrorCode=UserErrorFailedToConnectOdbcSource,'
Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,
Message= Error from MongoDB Client: No suitable servers found
(serverSelectionTryOnce set): TLS handshake failed:
error:1416F086:SSL routines:tls_process_server_certificate:
certificate verify failed calling ismaster on
'.mongodb.net:27017'
I am able to connect to the Mongo database using Mongo CLI. I used Wireshark to confirm the SSL handshake is working fine. It shows that the Mongo cert is issued by ‘Let’s Encrypt' (https://letsencrypt.org/). The ‘Let’s Encrypt’ cert is included in the list of certs and it issued by ‘DST Root CA X3’, which is in the trusted root certs on my computer. Interestingly enough, the Mongo cert was just renewed a few days ago.
Just for fun (see '...verify calling ismaster...' in the message above), in the pipeline configuration, I updated the datasource dataset to ‘Allow Self-Signed Server Cert’ and the connection started working.
I’ll set that flag and allow the pipeline to run a few days to see if it fixes it. But I have no explanation for why this would work other than Azure has a weird way of implementing SSL.
Is there a way to see the list of trusted certs on the Azure server? Is there a way to capture the packets of the SSL handshake on the Azure side?
Microsoft suggested I upgrade the MongoDB Collection dataset type to MongoDB Collection V2. The pipeline I was working with had been developed a while back. The V2 version does not have 'Allow Self-Signed Server Cert'. This turned out to work for me though.
I want to use my postgresql db from digital ocean in my webpage. Before i create this db, i have a free one for test and is working fine, but this new its not working.
I can connect from pgadmin to the db without problem.
My web project is a net core 2.1.
My connection strings
(1) From my test db (working):
optionsBuilder.UseNpgsql( "Server=my-server;Port=5432;Database=mydb; User Id=myuser;Password=mypsw;");
(2) From digital ocean db (not working):
optionsBuilder.UseNpgsql("Server=myserver;Port=25060;Database=defaultdb; User Id=doadmin;Password=mypsw;SslMode=Require");
If i use the (1) connection it works perfect, but when i change to (2) connection throw me the error message.
This is the error message:
“The remote certificate is invalid according to the validation procedure.”
My web its certificated with Let’s Encrypt, certbot.
Tell me if you need more info.
I found the solution, my problem was the ssl certificate, letsencrypt its a self-signed certificate and with sslmode=require, the connection fail.
So you have to add this parameter Trust Server Certificate=true.
optionsBuilder.UseNpgsql("Server=myserver;Port=25060;Database=defaultdb; User Id=doadmin;Password=mypsw;SslMode=Require;Trust Server Certificate=true");
Source: https://www.npgsql.org/doc/security.html#encryption-ssltls
I am using chrome.sockets.tcp API to create a secure connection. No errors are being encountered when connecting using a trusted certificate.
However, I'm facing error -202 (CERT_AUTHORITY_INVALID) (among other possible [certificate errors][2]) when trying to connect to a server with a self-signed/untrusted certificate.
Is it possible to warn the user about the invalid certificate and provide the option to continue with the connection? (similar to the way Chrome handles such situations)
Seeing nothing on the topic in the docs (and SocketsTcpSecureFunction::AsyncWorkStart(), the source code of chrome.sockets.tcp.secure, only verifies the certificate but doesn't try to handle the errors, it would only report them back) I'd conclude there's no way to interactively handle this predicament.
Maybe you can import the certificate on the client machine but it won't help other users of the site unless they're willing to do the same.
I'm facing a funny issue here.
I got a C# Webforms application running on IIS6. When the user clicks on a certain link, my app makes a REST call to a webservice hosted in the cloud. This call, made by the app running on IIS, fails. We get a WebException, with the message "no response from server".
However, if I try to connect to the same web service, from the same machine, with the same credentials, using SoapUI, the call succeeds. So I guess this means that I can rule out firewall issues, credential issues, and availability of the service.
The code has been tested on numerous other machines (dev, test, staging...), and it worked successfully, so the code itself should not be an issue. I think it's an environmental issue (a setting on web.config or machine.config which prevents outgoing requests).
Any idea as to what that could be?
Thanks!
The reason our REST calls were failing was that we were missing an SSL certificate.
We were trying to make the REST call using HTTPS. The REST service provider's SSL certificate was signed by a well-known CA. However, our server apparently had a hardened build, and the CA's certificate was missing from the certificate repository. Hence, the provider's SSL certificate was considered unsafe.
Sadly, the .Net framework exception had no useful information about this.
We installed the CA's certificate and the issue was fixed.