Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unable to determine Mongoose SSL connection error to DocumentDB

Tags:

I have 2 environments in AWS Elastic Beanstalk (EB) running a Node.js application connecting to DocumentDB utilizing the Mongoose framework. One of the environments inexplicably stopped working while the other is working fine. Both are deployed from a CI/CD build server that utilizes the EB CLI to deploy the application code.

The problematic environment generates the following error in the nodejs.log:

  name: 'MongooseTimeoutError',
  reason:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
       at TLSSocket.emit (events.js:198:13)
       at TLSSocket._finishInit (_tls_wrap.js:636:8)
     name: 'MongoNetworkError',
     [Symbol(mongoErrorContextSymbol)]: {} },
  [Symbol(mongoErrorContextSymbol)]: {} }

Both use the same connection string as they connect to the same instance mongodb://*****:*****@docdb-2019-08-**-**-**-**.cluster-**********.us-east-2.docdb.amazonaws.com:27017/db_name?ssl=true&ssl_ca_certs=/etc/ssl/certs/rds-combined-ca-bundle.pem&replicaSet=rs0

The certificate pem file is the same file used for both and is deployed to the instance via EB .ebextensions scripts.

Things that I have tried:

  • Connected to the troubled environment's EC2 instance, installed the mongodb shell and was able to successfully connect to the DocumentDB instance using the cert specified in the Mongo connect string.
  • Rebuilt the EB environment via the Elastic Beanstalk web management console.

Kind of stuck and out of ideas at the moment.

like image 767
steve dunning Avatar asked Jan 02 '20 22:01

steve dunning


2 Answers

Amazon's DocumentDB oficial documentation has a sample code that works and doesn´t trigger this error.

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html

This is the Node.JS sample with some adaptations for the sake of clarity:

const { MongoClient } = require('mongodb');
const fs = require('fs');

const caContent = [fs.readFileSync("/path/to/rds-combined-ca-bundle.pem")];
const options = { 
  sslValidate: true,
  sslCA: caContent,
  useNewUrlParser: true
};
const connUri = 'mongodb://user:[email protected]:27017/sample-database?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred';

const client = new MongoClient(connUri, options);
const client = await MongoClient.connect();
like image 145
Patrick A Gonçalves Avatar answered Sep 30 '22 17:09

Patrick A Gonçalves


Had the same issue.. not sure if this breaks with the change in cert to 2019 .. anyway I had to get around this with a code change (added the sslCA parameter to the Mongoose connect method below) and removal of the ssl cert location from the connection string.

connect(uri, {useNewUrlParser: true,
        useFindAndModify: false,
        sslCA: [fs.readFileSync("rds-combined-ca-bundle.pem")]}, (err: any)
like image 39
user2475448 Avatar answered Sep 30 '22 16:09

user2475448