Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mongo extension: quarkus.mongodb.tls-insecure=true requires certificate #37322

Closed
gian1200 opened this issue Nov 26, 2023 · 2 comments
Closed

Mongo extension: quarkus.mongodb.tls-insecure=true requires certificate #37322

gian1200 opened this issue Nov 26, 2023 · 2 comments
Labels
area/mongodb kind/bug Something isn't working

Comments

@gian1200
Copy link
Contributor

Describe the bug

Connection to a MongoDB instance doesn't work without certificate, with tlsInsecure=true.

Expected behavior

Established connection

Actual behavior

2023-11-26 17:41:48,721 INFO  [org.mon.dri.cluster] (cluster-ClusterId{value='**redacted**', description='null'}-**redacted host:port**) Exception in monitor thread while connecting to server **redacted host:port**: com.mongodb.MongoSocketWriteException: Exception sending message                                                                                                                          
        at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:708)
        at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:585)
        at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:416)
        at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:362)
        at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:102)
        at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:49)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:129)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.startHandshake(InternalStreamConnectionInitializer.java:77)
        at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:211)
        at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:199)
        at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:159)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:925)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1295)
        at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:102)
        at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:582)
        ... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 29 more

How to Reproduce?

  1.  <dependency>
 	<groupId>io.quarkus</groupId>
 	<artifactId>quarkus-mongodb-panache</artifactId>
 </dependency>

  2. a. Connection string in the format mongodb://<username>:<password>@<host1>:<port>,<host2>:<port>,<host3>:<port>/<database>?authSource=<authSource>&replicaSet=<replicaSet>&tls=true&tlsInsecure=true

    b. Also tested in these format:

quarkus.mongodb.connection-string=mongodb://<host1>:<port>,<host2>:<port>,<host3>:<port>
quarkus.mongodb.database=
quarkus.mongodb.credentials.username=
quarkus.mongodb.credentials.password=
quarkus.mongodb.tls=true
quarkus.mongodb.tls-insecure=true
quarkus.mongodb.credentials.auth-source=
quarkus.mongodb.replica-set-name=
  1. Run any query. E.g.:
    Log.info(userRepository.count()); where userRepository is an instance of a class that implements PanacheMongoRepository<>.

Output of uname -a or ver

No response

Output of java -version

openjdk 17.0.8.1

Quarkus version or git rev

3.5.3

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.5

Additional information

This works fine when using MongoDBCompass
image
@gian1200 gian1200 added the kind/bug Something isn't working label Nov 26, 2023
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Nov 26, 2023

/cc @evanchooly (mongodb), @loicmathieu (mongodb)

@geoand
Copy link
Contributor

geoand commented Feb 18, 2025

Let's close this as #46293 will introduce the TLS registry to the Mongo client

@geoand geoand closed this as not planned Won't fix, can't repro, duplicate, stale Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/mongodb kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gian1200 @geoand