Unable to determine Mongoose SSL connection error to DocumentDB

Question

I have 2 environments in AWS Elastic Beanstalk (EB) running a Node.js application connecting to DocumentDB utilizing the Mongoose framework. One of the environments inexplicably stopped working while the other is working fine. Both are deployed from a CI/CD build server that utilizes the EB CLI to deploy the application code.

The problematic environment generates the following error in the nodejs.log:

  name: 'MongooseTimeoutError',
  reason:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
       at TLSSocket.emit (events.js:198:13)
       at TLSSocket._finishInit (_tls_wrap.js:636:8)
     name: 'MongoNetworkError',
     [Symbol(mongoErrorContextSymbol)]: {} },
  [Symbol(mongoErrorContextSymbol)]: {} }

Both use the same connection string as they connect to the same instance mongodb://*****:*****@docdb-2019-08-**-**-**-**.cluster-**********.us-east-2.docdb.amazonaws.com:27017/db_name?ssl=true&ssl_ca_certs=/etc/ssl/certs/rds-combined-ca-bundle.pem&replicaSet=rs0

The certificate pem file is the same file used for both and is deployed to the instance via EB .ebextensions scripts.

Things that I have tried:

• Connected to the troubled environment's EC2 instance, installed the mongodb shell and was able to successfully connect to the DocumentDB instance using the cert specified in the Mongo connect string.
• Rebuilt the EB environment via the Elastic Beanstalk web management console.

Kind of stuck and out of ideas at the moment.

Answer 1

Amazon's DocumentDB oficial documentation has a sample code that works and doesn´t trigger this error.

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html

This is the Node.JS sample with some adaptations for the sake of clarity:

const { MongoClient } = require('mongodb');
const fs = require('fs');

const caContent = [fs.readFileSync("/path/to/rds-combined-ca-bundle.pem")];
const options = { 
  sslValidate: true,
  sslCA: caContent,
  useNewUrlParser: true
};
const connUri = 'mongodb://user:[email protected]:27017/sample-database?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred';

const client = new MongoClient(connUri, options);
const client = await MongoClient.connect();

Answer 2

Had the same issue.. not sure if this breaks with the change in cert to 2019 .. anyway I had to get around this with a code change (added the sslCA parameter to the Mongoose connect method below) and removal of the ssl cert location from the connection string.

connect(uri, {useNewUrlParser: true,
        useFindAndModify: false,
        sslCA: [fs.readFileSync("rds-combined-ca-bundle.pem")]}, (err: any)