Hi,
I have single Mongodb deployed in replica set and I have setup Percona MongoDB with TLS/SSL certificate for encryption in transit.
My nodejs application is successfully able to connect to Mongodb without any issue, however I’m facing trouble connecting PBM-Agent with MongoDB. If I run pbm status or check pbm-agent status with systemctl status pbm-agent.service I get following error.
pbm status
Error: connect to mongodb: create mongo connection: ping: server selection error: server selection timeout, current topology: { Type: ReplicaSetNoPrimary, Servers: [{ Addr: domainname.com:27017, Type: Unknown, Last error: error parsing stapled response: bad OCSP signature: crypto/rsa: verification error }, ] }
Connection String: export PBM_MONGODB_URI=“mongodb://pmm:password@domainname.com:27017/admin?authSource=admin&replicaSet=rs0&tls=true&tlsCAFile=/imsdevdata/certificates/domainname.ca.pem&tlsCertificateKeyFile=/imsdevdata/certificates/mongod.pem”
rs.status gives following result in members:
members: [
{
_id: 0,
name: ‘domainname.com:27017’,
health: 1,
state: 1,
stateStr: ‘PRIMARY’,
etc…
}]
Note: I’m using CA signed certificate.
Please help…
Hi @Shashank_BS !
Look’s like you have an issue with connection to OCSP responder, you can disable OSCP verification by adding the option tlsDisableOCSPEndpointCheck=true
to PBM_MONGODB_URI
Hi @oleksandr.havryliak thanks for your reply. I modified the PBM_MONGODB_URI value in /etc/sysconfig/pbm-agent to include tlsDisableOCSPEndpointCheck=true
PBM_MONGODB_URI=“mongodb://pmm:@domainname.com:27017/?authSource=admin&replSetName=rs0&tls=true&tlsCAFile=/imsdevdata/certificates/ca.pem&tlsCertificateKeyFile=/imsdevdata/certificates/mongod.pem&directConnect=true&tlsDisableOCSPEndpointCheck=true”
But still pbm is unable to connect to the database.
systemctl status pbm-agent
Loaded: loaded (/usr/lib/systemd/system/pbm-agent.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2024-09-10 06:57:02 GMT; 1s ago
Process: 2925598 ExecStart=/usr/bin/pbm-agent (code=exited, status=1/FAILURE)
Main PID: 2925598 (code=exited, status=1/FAILURE)
Sep 10 06:56:32 hilimsdevdb01 systemd[1]: Started pbm-agent.
Sep 10 06:57:02 hilimsdevdb01 pbm-agent[2925598]: 2024/09/10 06:57:02 Exit: connect to PBM: create mongo connection: ping: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: domainname.com:27017, Type: Unknown, Last error: error parsing stapled response: bad OCSP signature: crypto/rsa: verification error }, ] }
Sep 10 06:57:02 hilimsdevdb01 systemd[1]: pbm-agent.service: Main process exited, code=exited, status=1/FAILURE
Sep 10 06:57:02 hilimsdevdb01 systemd[1]: pbm-agent.service: Failed with result ‘exit-code’.
I’m curious that you are using the same pem file for both the server and the client. Can you try removing the tlsCertificateKeyFile
parameter from the connection string?
And could you, please, check the output of
openssl x509 -in /imsdevdata/certificates/mongod.pem -text -noout | grep -A2 'Authority Information Access'
You should see something like
Authority Information Access:
OCSP - URI:http://o.pki.goog/wr2
CA Issuers - URI:http://i.pki.goog/wr2.crt
You can check the accessibility of OCSP URI from the host where PBM is installed
Yes you are correct I’m using same mongod.pem file for both Server and Client. Our customer provided us with only one CA signed SSL certificate to use for both Client and Server.
I tried to connect to mongodb by removing tlsCertificateKeyFile parameter still getting same error.
You can try disabling ocsp stapling
by disable OCSP on the mongodb side - add
setParameter:
ocspEnabled: false
to your mongod.conf and restart mongodb
Yes, pbm is able to connect to mongodb when I disable ocsp stapling on Mongodb side.
I just don’t understand why pbm is unable to connect to mongodb and failing with ocsp validation but our nodejs application is able to connect to mongodb with same connection string.
What am I missing here? Is it an issue with pbm or go driver I really don’t get it.
I think that ocsp is not fully implemented for nodejs driver but it works for go-driver. In your case you might have some issues with connection to ocsp responder.
We also checked this issue with the SSL provider they said there is no issue with certificate and ocsp verification . Mind if I ask you whether go driver uses openssl to verify the certificate or it uses any other methods asking because with openssl I was able to verify the stapling of the certificate from the same server where pbm is installed.
One small question: could you, please, provide us with your Operating System version and Mongodb version?
We are currently using Oracle Linux 8.
Mongodb version 6.0.15
Pbm-agent version 2.5.0