SSLHandshakeFailed: SSL peer certificate validation failed: self-signed certificate in certificate chain

Hi there !

I’m working with an image of mongodb 7.0 in docker and i wanted to add a pbm-agent on my shared replicaset cluster.

To do that i put a role and user with large access in every node Primary mongod and Config Replicaset.

However, when i add a conteneer docker with pbm in primary node rs0, it says an error “SSLHandshakeFailed” to connect with my cluster.

I use tls for my cluster and i dont want to remove it.

What can i do ? It’s my first time with Percona and i dont know if i missed an important things.

I would like to connect my pbm with tls or accept that it is a self-signed certificate.

Docker command used :

docker run --name pbm-agent-rs0 --net host --mount type=bind,src=/***/***/***/****/CA.crt,dst=/home/CA.crt,readonly=true -it --rm -e PBM_MONGODB_URI="mongodb://user:password@host:port,host:port/?authSource=admin&replSetName=rs0&tls=true&tlsCAFile=/home/CA.crt&allowInvalidCertificates=true&allowInvalidHostnames=true" percona/percona-backup-mongodb:2

Log error in pbm-agent-rs0 :

Log of destination server :

{"t":{"$date":"2025-07-04T08:35:39.361+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted",
"attr":{"remote":"**,"uuid":{"uuid":{"$uuid":"*"}},"connectionId":468504,"connectionCount":76}}

{"t":{"$date":"2025-07-04T08:35:39.363+00:00"},"s":"I",  "c":"NETWORK",  "id":6723804, "ctx":"conn468504","msg":"Ingress TLS handshake complete","attr":{"durationMillis":2}}

{"t":{"$date":"2025-07-04T08:35:39.363+00:00"},"s":"W",  "c":"NETWORK",  "id":23234,   "ctx":"conn468504","msg":"No SSL certificate provided by peer"}

{"t":{"$date":"2025-07-04T08:35:39.363+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn468504","msg":"Connection ended"

Thanks you

Hi, in the connection URI you are missing providing the client certificate that pbm will present to the server. Add the parameter: &tlsCertificateKeyFile=/path/to/client.pem
As an alternative, you can configure your mongod server with allowConnectionsWithoutCertificates: true

Thanks for the help !

i didn’t show that, but i have this option in my mongod.

image

but its doesn’t works…

and when i add the path of my “.pem”, it didn’t recognize and show the same error.

Do you have any idea ?

docker command used :


docker run --name pbm-agent-rs0 --net host --mount type=bind,src=/path/CA.crt,dst=/path/CA.crt --mount type=bind,src=/path/certificate.pem,dst=/path/certificate.pem  -it --rm -e PBM_MONGODB_URI="mongodb://user:password@host:port,host:port/?authSource=admin&replicaSet=rs0&tls=true&allowInvalidCertificates=true&allowInvalidHostnames=true" percona/percona-backup-mongodb:2