Issue in connecting via tls , sharded cluster exposed loadbalancer. via mongocompass

Rohit_Singh · October 9, 2025, 7:04pm

tls:

mode: preferTLS

# 90 days in hours

certValidityDuration: 2160h

allowInvalidCertificates: true

issuerConf:

name: percona-cluster-issuer

kind: ClusterIssuer

group: cert-manager.io.

connection string : mongodb://user:password@k8s-mongopre-stagemon-73a0897a4c-ba595be8c7c7e792.elb.ap-south-1.ws.com:27017/admin?tls=true&tlsCAFile=%2FUsers%2Frohitsingh%2Fca.crt&tlsAllowInvalidHostnames=true

k get certificates
NAME READY SECRET AGE
stage-mongo-preprod-ca-cert True stage-mongo-preprod-ca-cert 8h
stage-mongo-preprod-ssl True stage-mongo-preprod-ssl 8h
stage-mongo-preprod-ssl-internal True stage-mongo-preprod-ssl-internal 8h
➜ secret. , kubectl get secret stage-mongo-preprod-ca-cert -o jsonpath=“{.data[‘ca.crt’]}” | base64 --decode > ca.crt

{“t”:{“$date”:“2025-10-09T18:35:25.586Z”},“s”:“E”, “c”:“NETWORK”, “id”:23212, “ctx”:“js”,“msg”:“SSL peer certificate validation failed; connection rejected”,“attr”:{“error”:“Certificate trust failure: CSSMERR_TP_NOT_TRUSTED”}}
Error: couldn’t connect to server k8s-mongopre-stagemon-73a0897a4c-ba595be8c7c7e792.elb.ap-south-1.amazonaws.com:27017, connection attempt failed: SSLHandshakeFailed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED :

via mongo compass : k8s-mon95be8c7c7e792.elb.ap-south-1.amazonaws.:27017unable to get local issuer certificate

radoslaw.szulgo · October 13, 2025, 12:15pm

The error Certificate trust failure: CSSMERR_TP_NOT_TRUSTED and unable to get local issuer certificate means that your client (Mongo Compass) does not trust the TLS certificate being presented by the MongoDB server.

The most likely scenario is that the external certificate (stage-mongo-preprod-ssl) was NOT signed by the internal CA (stage-mongo-preprod-ca-cert).

The operator might be configured to use one self-signed CA for internal traffic but a different issuer (such as Let’s Encrypt or another corporate CA) for the external-facing certificate. When you extract the stage-mongo-preprod-ca-cert and give it to Compass, you are giving it the wrong key to validate the server’s certificate.

Try to check it first:

openssl s_client -connect k8s-mongopre-stagemon-73a0897a4c-ba595be8c7c7e792.elb.ap-south-1.ws.com:27017 -starttls mongodb < /dev/null

^^ Check the Issuer.

Then:

openssl x509 -in ca.crt -noout -subject -issuer

Subject and Issuer should be the same. If they are not - you need to fix it. If they are, maybe you miss an Intermidiate certificate to make sure whole validation chain is provided.

radoslaw.szulgo · October 21, 2025, 8:47am

@Rohit_Singh were you able to check this?

Rohit_Singh · November 6, 2025, 6:00pm

this issue is solved.
i was not passing the whole certificate chain to mongo-compass

Topic		Replies	Views
TLS implementation for mongo deployment with load balancer enabled Percona Operator for MongoDB community , pmm , troubleshooting , percona , mongodb	2	1305	September 21, 2021
Issues setting up TLS for MongoDB with cert-manager Percona Operator for MongoDB	3	1677	November 29, 2021
[solved] Expose mongos with TLS Percona Operator for MongoDB psmdb-operator	1	1553	May 16, 2023
Basic cluster with TLS not working, operator k8s/helm setup Percona Server for MongoDB mongodb , psmdb-operator	18	3256	December 18, 2022
Configuring TLS for Percona mongodb sharding setup Percona Operator for MongoDB mongodb	1	1033	January 12, 2023

Issue in connecting via tls , sharded cluster exposed loadbalancer. via mongocompass

Related topics