pymongo.errors.ServerSelectionTimeoutError: mflix-shard-00-00.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129),mflix-shard-00-02.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129),mflix-shard-00-01.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129), Timeout: 30s, Topology Description: <TopologyDescription id: 60b1c9b0c4a5874ea362693e, topology_type: ReplicaSetNoPrimary, servers: [<ServerDescription ('mflix-shard-00-00.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-00.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>, <ServerDescription ('mflix-shard-00-01.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-01.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>, <ServerDescription ('mflix-shard-00-02.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-02.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>]>
This is the error it is producing.
I am using FastApi, Motor, and uvicorn to the run server. The database I use is a free cluster provided in Mongo Atlas. It was working fine the last time I updated the server that is 2 days ago, but from yesterday onwards the error is produced. I've tried to update the above mentioned packages as of now.
I am new to mongodb.
I have found a fix that works but I don't if its the best way.
client = motor.motor_asyncio.AsyncIOMotorClient(MONGO_DETAILS)
The above line is how I connected to my cluster. I changed the line to:
client = motor.motor_asyncio.AsyncIOMotorClient(MONGO_DETAILS, tls=True, tlsAllowInvalidCertificates=True)
It works as it did earlier there is no issue.
Anyway I would like to know why this error occurs!
Related
I am trying to deploy MongoDB BI-Connector (mongosqld) as a service to connect Power-BI to a MongoDB hosted in OVH cloud service. But when trying to launch the service and request a connection this error appeared :
[initandlisten] connection accepted from ..., but could not initialize: unable to connect to MongoDB: no servers available: server selection error: context deadline exceeded, current topology: { Type: Unknown, Servers: [{ Addr: node1-...database.cloud.ovh.net:..., Type: Unknown, Average RTT: 0, Last error: connection() error occured during connection handshake: SSL errors: 14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed }, ] }
I Started learning MongoDB atlas recently,and was trying to connect it with Jupyter notebook. im facing Server selection timeout error, and I’m unable to resolve it.
help me get rid of this. Im new to this arena,so,in need of basic explanation.
ServerSelectionTimeoutError:
cluster0-shard-00-02.gl4co.mongodb.net:27017: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
expired (_ssl.c:1125),cluster0-shard-00-00.gl4co.mongodb.net:27017:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
certificate has expired
(_ssl.c:1125),cluster0-shard-00-01.gl4co.mongodb.net:27017: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
expired (_ssl.c:1125), Timeout: 30s, Topology Description:
<TopologyDescription id: 621f7d6cb87ad4090bfca8ca, topology_type:
ReplicaSetNoPrimary, servers: [<ServerDescription
('cluster0-shard-00-00.gl4co.mongodb.net', 27017) server_type:
Unknown, rtt: None,
error=AutoReconnect('cluster0-shard-00-00.gl4co.mongodb.net:27017:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
certificate has expired (_ssl.c:1125)')>, <ServerDescription
('cluster0-shard-00-01.gl4co.mongodb.net', 27017) server_type:
Unknown, rtt: None,
error=AutoReconnect('cluster0-shard-00-01.gl4co.mongodb.net:27017:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
certificate has expired (_ssl.c:1125)')>, <ServerDescription
('cluster0-shard-00-02.gl4co.mongodb.net', 27017) server_type:
Unknown, rtt: None,
error=AutoReconnect('cluster0-shard-00-02.gl4co.mongodb.net:27017:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
certificate has expired (_ssl.c:1125)')>]>
I run MongoDB (version 4.4.1) this way:
mongod --dbpath /tmp/mongotest/1/db --logpath /tmp/mongotest/1/mongod.log --port 27017 --tlsMode requireTLS --tlsCertificateKeyFile /tmp/mongokeys/test-server1.pem --tlsCAFile /tmp/mongokeys/test-ca.pem --tlsAllowConnectionsWithoutCertificates
The test-server1.pem and test-ca.pem files have been generated following the example procedures (this and this) in official MongoDB documentation.
Now I try to connect using mongo shell (version 4.4.1) this way:
mongo --tls
It fails. This is the trace:
MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2021-03-01T13:18:54.768Z"},"s":"E", "c":"NETWORK", "id":23256, "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate in certificate chain"}}
Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:374:17
#(connect):2:6
exception: connect failed
exiting with code 1
In addition, mongod log shows:
{"t":{"$date":"2021-03-01T14:19:40.397+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":1}}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"W", "c":"NETWORK", "id":23234, "ctx":"conn15","msg":"No SSL certificate provided by peer"}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn15","msg":"Connection ended","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":0}}
What is surprising is the "No SSL certificate provided by peer" message. Of course, that's is true (I mean, mongo shell connection is not sending any certificate to the MongoDB server) but as far as I understand the --tlsAllowConnectionsWithoutCertificates should allow this kind of certificate-less connections.
Probably I'm doing something wrong, but I don't know what it is :) Any help is really welcomed!
Probably I'm doing something wrong, but I don't know what it is :)
You are experiencing the full informativeness of OpenSSL diagnostic messages.
The client and the server both validate the certificates of the other side, by default. You configured the server to not validate the client's certificate. The error is coming from the shell after it tries to validate the server's certificate and cannot follow the server cert to a known CA cert. This is reported as "self-signed certificate in certificate chain" which is true but misleading (the shell would be very capable of accepting the server's certificate if you gave it the CA cert which is self-signed).
The server log tells you the client hasn't provided the certificate, which is true and normal for your configuration, but the connection close is initiated by the client (shell). There isn't a server problem there. See also this and this.
I am trying to test a mongoDB installation with self signed certificates. I followed the instructions in the mongoDB documentation for creating the 'pem' files using the copy links on each page:
Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing
I updated the /etc/mongod.conf as such:
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
allowConnectionsWithoutCertificates: true
allowInvalidHostnames: true
allowInvalidCertificates: true
CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt
Originally I did not have the 'allow' option, but they do not make a difference so I am leaving the in for now.
Running the mongodb shell results in this error:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-04-17T17:07:25.812+0000 F - [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E - [main] exiting with code 1
root#ip-10-0-3-61:~/mongo-cert#
If I add the '--tlsAllowInvalidCertificates' in the command it works:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>
I have read other people who have followed the mongodb instructions successfully.
I just do not understand what I have done wrong.
You need to provide the CA file to mongo also (the --tlsCAFile option), in addition to the client certificate.
When full verification is enabled with TLS both server and client validate the other's certificate. This means both must have access to the CA cert used for signing the leaf certs.
A little background...my certificate is a LetsEncrypt.org SSL certificate issued with Certbot. I'm running Nginx 1.12.2, and I'm able to properly access my website using https:// so I believe that portion is configured properly. My web server is running Ubuntu 16.04 and MongoDB 3.6.3.
I have tried many configurations and while I can connect to my MongoDB just fine using Compass (the official MongoDB GUI) without the SSL option, attempts to connect with SSL result in a Could not connect to MongoDB on the provided host and port error message. Running mongo -ssl --sslPEMKeyFile /etc/ssl/mongo.pem on my server results in the following error:
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2018-06-12T16:51:10.756+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get local issuer certificate
2018-06-12T16:51:10.757+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:251:13
#(connect):1:6
exception: connect failed
My /var/log/mongodb/mongod.log shows the following which corresponds to the error above:
2018-06-12T16:51:10.755+0000 I NETWORK [listener] connection accepted from 127.0.0.1:47792 #8 (2 connections now open)
2018-06-12T16:51:10.757+0000 I NETWORK [conn8] end connection 127.0.0.1:47792 (1 connection now open)
My /etc/mongod.conf contains the following (I've commented out the CAFile parameter as I've read this is optional for now [source: https://stackoverflow.com/a/33926129/2969615 ]; note that I get mongo.pem: OK when running the openssl verify -CAfile /etc/ca.pem /etc/mongo.pem command, so I believe mongo.pem is properly set up):
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: allowSSL
PEMKeyFile: /etc/ssl/mongo.pem
# CAFile: /etc/ssl/ca.pem
I've created my mongo.pem file by referring to the following: https://serverfault.com/a/878457 ...I have tried the certificate in the instructions as well as both X3 intermediate certificates available at https://letsencrypt.org/certificates/ to no avail.
Any help would be greatly appreciated.
Very late to the party, but just in case it does help someone. I am running mongodb inside docker with the official image from mongo and compass from another docker image.
For the server I use:
docker run -it --name data.domain.com --network docker_network -v /path/to/ssl:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem
fullchain-key.pem is 'cat fullchain.pem privkey.pem > fullchain-key.pem'
docker name or server name must match certificate name
For Compass I use:
The server has it's own certificate and compass as well.