Nginx Question posted in
The official documentation can be found here.

Nginx – Compass and MongoDB VPS instance won't establish TLS connection

Compass won’t establish connection to VPS MongoDB instance. Here is the log:

{"t":{"$date":"2024-12-05T20:38:26.097+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"185.121.228.66:51324","uuid":{"uuid":{"$uuid":"5f86b525-d80e-45ea-b05d-ca1e33028b58"}},"connectionId":52,"connectionCount":1}}
{"t":{"$date":"2024-12-05T20:38:26.111+00:00"},"s":"I",  "c":"NETWORK",  "id":6723804, "ctx":"conn52","msg":"Ingress TLS handshake complete","attr":{"durationMillis":13}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"conn52","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: unable to get issuer certificate"}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"I",  "c":"EXECUTOR", "id":22988,   "ctx":"conn52","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL peer certificate validation failed: unable to get issuer certificate"},"remote":"185.121.228.66:51324","connectionId":52}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn52","msg":"Connection ended","attr":{"remote":"185.121.228.66:51324","uuid":{"uuid":{"$uuid":"5f86b525-d80e-45ea-b05d-ca1e33028b58"}},"connectionId":52,"connectionCount":0}}

No idea what is causing the problem. The files have the same contents on both ends and readable.

mongo.conf:

net:
  port: 27017
#  bindIp: 127.0.0.1
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/certAndKey.pem
    CAFile: /etc/ssl/chain.pem

Before I tried NGINX on VPS end and Compass was establishing connection fine. Make me think the issue is on MongoDB end.

certAndKey contents:

-----BEGIN CERTIFICATE-----
MIIDkTCCAxigAwIBAgISBFenOkN8BKV0K4KSsaH2eRvgMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDExMTkxNzI4MDdaFw0yNTAyMTcxNzI4MDZaMBkxFzAVBgNVBAMTDmdp
ZnRidXR0b24uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExl2N7OsKn6or
Ggzf2xGQPjQNMks8/c9E1h3djOkojbzX0ppmqrxTaiM2eIYClj9vN3zMCecq1zEi
JGPt3GHPpaOCAiUwggIhMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUHYpnb2g9Bcvf
bm/tfcpVsPUk3CgwHwYDVR0jBBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYI
KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcw
IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIS
YXBpLmdpZnRidXR0b24uY29tgg5naWZ0YnV0dG9uLmNvbTATBgNVHSAEDDAKMAgG
BmeBDAECATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKLjCuRF772tm3447Udn
d1PXgluElNcrXhssxLlQpEfnAAABk0WtLcQAAAQDAEcwRQIhAOk5pkZCkA3w7fU9
zM1TBFxZ0QnCRXAofLDz9YGCLLf/AiBz7ulKlnh2TtRNvEeaCMf19ryUp8HLWNp7
puhy1QtfzAB3ABNK3xq1mEIJeAxv70x6kaQWtyNJzlhXat+u2qfCq+AiAAABk0Wt
LnUAAAQDAEgwRgIhAIMOfLTk7kj1NcgmIblD9w+5LUozjkKpJyY6BzODUsylAiEA
+D7IEh5HpCMuR8QTjRM/zoOHoY1RK/lKhTbM1mJlKtgwCgYIKoZIzj0EAwMDZwAw
ZAIwF+1iepR6GfMqOFjfNGoRPLBz2Tpb9KwGK1P+brUbFxj+Ajpz6O8mt+EKAj8Y
EwwFAjAyPdWjZ/Y0KGWA6bsC0ltNyBGe0rUru8Rx1pLoYqA4TmcPpjbFbEVxVkCq
o5KZMN0=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg57A06iepOf1s1AYI
+UZCoiE69mtRSZ+NgKBcf1xaMtahRANCAATGXY3s6wqfqisaDN/bEZA+NA0ySzz9
z0TWHd2M6SiNvNfSmmaqvFNqIzZ4hgKWP283fMwJ5yrXMSIkY+3cYc+l
-----END PRIVATE KEY-----

Chain.pem:

-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----

There is also fullchain.pem file, but not using it. All certs obtained from LetsEncrypt via Certbot.

Any ideas why MongoDB on VPS not liking what Compass is trying to communicate?

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    To summarize the solution provided by Wernfried Domscheit and put everything in plain English, as this certificate subject us super-ultra-confusing. As Certbot by LetsEncrypt generates you the following files:

    1) cert.pem (as known as "Your server certificate")
2) chain.pem (as known as "Intermediate certificate")
3) fullchain.pem (2 of the above in a single file. The 1st half is erver cert, the other half is intermediate cert. Anyhow this file is useless in our case and adds more confusion, so ignore this file)
4) privkey.pem

    Here is what you need to do:

    1. make a file containing both your server cert and privkey;
    2. make another file containing both the intermediate cert and RootCA.

    RootCA isn't provided by Certbot! You need download it from LetEncrypt website directly.

    https://letsencrypt.org/certificates/][1]

    It is ISRG Root X1, the self-signed one. Here is the direct link

    [https://letsencrypt.org/certs/isrgrootx1.pem][1]

    As for your mongod.cong, the tls part should like something like this:

    tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/certKey.pem
    CAFile: /etc/ssl/intermRoot.pem

    As for Compass connection, accordingly:

    1. "Certificate Authority (.pem)" file shall be your intermRoot file
    2. "Client Certificate and Key (.pem)" file shall be your certKey file

  2. 0

    Currently certAndKey.pem contains

    Subject: CN = giftbutton.com
Issuer: C = US, O = Let's Encrypt, CN = E6

    and chain.pem contains

    Subject: C = US, O = Let's Encrypt, CN = E6
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

    The .pem file passed as CAFile should contain just the root certificate, i.e. ISRG Root X1. You will need to obtain that root cert and pass it in CAFile.

    Put the intermediate certificate, server certificate, and server private key in the same file and pass it as certificateKeyFile.

    Login or Signup to reply.
  3. 0

    Add the root certificate to your CA. The chain.pem file should be this:

    -----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

    Usually Let’s Encrypt certificates are stored in your local certificate store, thus you can use also tlsUseSystemCA. I think in Compass and mongosh it is even the default.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search