Unable to determine Mongoose SSL connection error to DocumentDB

Question

I have 2 environments in AWS Elastic Beanstalk (EB) running a Node.js application connecting to DocumentDB utilizing the Mongoose framework. One of the environments inexplicably stopped working while the other is working fine. Both are deployed from a CI/CD build server that utilizes the EB CLI to deploy the application code.

The problematic environment generates the following error in the nodejs.log:

  name: 'MongooseTimeoutError',
  reason:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
       at TLSSocket.emit (events.js:198:13)
       at TLSSocket._finishInit (_tls_wrap.js:636:8)
     name: 'MongoNetworkError',
     [Symbol(mongoErrorContextSymbol)]: {} },
  [Symbol(mongoErrorContextSymbol)]: {} }

Both use the same connection string as they connect to the same instance mongodb://*****:*****@docdb-2019-08-**-**-**-**.cluster-**********.us-east-2.docdb.amazonaws.com:27017/db_name?ssl=true&ssl_ca_certs=/etc/ssl/certs/rds-combined-ca-bundle.pem&replicaSet=rs0

The certificate pem file is the same file used for both and is deployed to the instance via EB .ebextensions scripts.

Things that I have tried:

Connected to the troubled environment's EC2 instance, installed the mongodb shell and was able to successfully connect to the DocumentDB instance using the cert specified in the Mongo connect string.
Rebuilt the EB environment via the Elastic Beanstalk web management console.

Kind of stuck and out of ideas at the moment.

score 4 · Answer 1 · answered Feb 19 '21 at 20:34

Amazon's DocumentDB oficial documentation has a sample code that works and doesn´t trigger this error.

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html

This is the Node.JS sample with some adaptations for the sake of clarity:

const { MongoClient } = require('mongodb');
const fs = require('fs');

const caContent = [fs.readFileSync("/path/to/rds-combined-ca-bundle.pem")];
const options = { 
  sslValidate: true,
  sslCA: caContent,
  useNewUrlParser: true
};
const connUri = 'mongodb://user:pass@sample-cluster.node.us-east-1.docdb.amazonaws.com:27017/sample-database?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred';

const client = new MongoClient(connUri, options);
const client = await MongoClient.connect();

This worked to me. Thank you. – Dat Ho Feb 08 '22 at 05:00 — Dat Ho, Feb 08 '22 at 05:00

score 2 · Answer 2 · answered Jan 06 '20 at 16:34

2

Had the same issue.. not sure if this breaks with the change in cert to 2019 .. anyway I had to get around this with a code change (added the sslCA parameter to the Mongoose connect method below) and removal of the ssl cert location from the connection string.

connect(uri, {useNewUrlParser: true,
        useFindAndModify: false,
        sslCA: [fs.readFileSync("rds-combined-ca-bundle.pem")]}, (err: any)

answered Jan 06 '20 at 16:34

user2475448

155
1
8

1

yep.. that's one way to do it ;) .. anyway I am the same user from the AWS forum response. Figured I will post it here as well. – user2475448 Jan 07 '20 at 23:30

Unable to determine Mongoose SSL connection error to DocumentDB

2 Answers2