Parse + mongodb + SSL: "no SSL certificate provided by peer"

Question

In the course of migrating off Parse's servers before it shuts down, I'm trying to set up a simple MongoDB instance on Digital Ocean. (I'm using that instead of mLab because my needs are very limited—-a few MB of storage, a few hundred requests per week--and for that mLab's costs are pretty high.)

I've got mongod running, and have made some progress with SSL thanks to this guide using Let's Encrypt, but now I'm stuck. Parse's migration tool says, "No reachable servers," and if I try to connect on the command line like this:

mongo --ssl -u editAdmin -p "<password-here>" --host mydb.myhost.com dbname

I get this error:

MongoDB shell version: 3.2.7
connecting to: mydb.myhost.com:27017/dbname
2016-07-24T10:31:38.814-0700 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mydb.myhost.com:27017' :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6

exception: connect failed

The server log reports:

2016-07-24T13:32:44.357-0400 I NETWORK [initandlisten] connection accepted from 12.345.67.89:33351 #39 (1 connection now open)
2016-07-24T13:32:44.390-0400 E NETWORK [conn39] no SSL certificate provided by peer; connection rejected
2016-07-24T13:32:44.390-0400 I NETWORK [conn39] end connection 12.345.67.89:33351 (0 connections now open)

So that would suggest the client needs to provide a cert, but (a) I don't know how to provide one, and (b) Parse doesn't provide that as an option so there must be some way not to.

Thanks in advance for your help.

Answer 1

The key error message is this one:

no SSL certificate provided by peer; connection rejected

When you enable TLS/SSL on MongoDB, MongoDB clients can now authenticate that the MongoDB server is who it claims to be by comparing the MongoDB's TLS/SSL certificate (specified by the PEMKeyFile property in the mongod.conf file) against the public Certificate Authority certificate that you provide to the MongoDB client to indicate which Certificate Authority you trust.

But what I just described is sometimes called one-way TLS, whereas, by default, MongoDB enables two-way or mutual TLS authentication. The idea behind this is that maybe the MongoDB doesn't want to accept client requests from just anyone (the way a public website might), but wants to authenticate the clients as well.

In TLS Mutual Auth, the same Certificate Authority I mentioned above will issue client certificates and the MongoDB server will check the client's certificate to make sure it really was issued by the Certificate Authority in question and that it's valid (e.g. hasn't expired).

So this error is saying "Hey, I expect my clients to present a TLS certificate, but you're not presenting anything."

The way to fix it is described at Configure mongod and mongos for TLS/SSL:

If you want to bypass validation for clients that don’t present certificates, include the allowConnectionsWithoutCertificates run-time option with mongod and mongos. If the client does not present a certificate, no validation occurs. These connections, though not validated, are still encrypted using SSL.

Of course, you can specify this in the mongod.conf file as well: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates

My preferred solution looks like this:

net:
  port: 27017
  bindIp: 172.0.0.1 # Set this to whatever your private IP address is
  ssl:
     mode: "requireSSL"
     PEMKeyFile: "/path/to/tls/private/key"
     CAFile: "/path/to/ca/public/cert"
     disabledProtocols: "TLS1_0,TLS1_1"
     allowConnectionsWithoutCertificates: true # <-- The line to add to your config