4

I have an AWS DocumentDB set up that I can connect to just fine through my jump box using:

mongo --ssl --host aws-host:27017 --sslCAFile rds-combined-ca-bundle.pem --username my_user --password <insertYourPassword>

I'd like to be able to connect to it through localhost for some testing. I cannot connect directly so I attempted to open a tunnel from my jump:

ssh -i ~/.ssh/my-key user@my_jump -L 27017:aws-host:27017 -N

After that I tried the basic MongoDB connect command:

mongo --ssl --host localhost:27017 --sslCAFile rds-combined-ca-bundle.pem --username my_user --password <insertYourPassword>

I get an error I understand:

The server certificate does not match the host name. Hostname: localhost does not match SAN(s)

I tried using export http_proxy to use http://my_jump:27017 and using the command above again with no luck.

Any suggestions or help on how to connect?

el n00b
  • 1,957
  • 7
  • 37
  • 64

1 Answers1

6

Try to disable ssl hostname validation:

mongo --ssl --sslAllowInvalidHostnames ...

Note --sslAllowInvalidHostnames is available from version 3.0.

If this does not work, try to remove --ssl entirely from the connection options, as according to the documentation:

The mongo shell verifies that the hostname (specified in --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod or mongos. If SAN is present, mongo does not match against the CN. If the hostname does not match the SAN (or CN), the mongo shell will fail to connect.

Jannes Botis
  • 11,154
  • 3
  • 21
  • 39
  • Yes! The key here is **version 3.0** as well. I had to upgrade the client to actually get it to work. – el n00b Mar 21 '19 at 14:51
  • I can connect on jump_server but cannot connect from my machine ? How to connect from outsie ? – Thanh Nguyen Van Aug 21 '19 at 13:16
  • Please be aware that the official documentation warns to avoid this flag: https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/#avoid-use-of-tlsallowinvalidcertificates-option – Dennis van de Hoef - Xiotin Mar 25 '21 at 07:23
  • Is there any way I can connect to the documentdb behind proxy server without `sslAllowInvalidHostnames`? Even the aws document tells me to use it! – Gompro Feb 20 '22 at 10:30