meteor connect to remote mongodb error self signed certificate

Question

I want to connect my meteor app to mongodb cloud in scalegrid.

MONGO_URL=mongodb://admin:PASSWORD@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true meteor run

but got error like this :

W20200510-10:53:22.340(7)? (STDERR) MongoNetworkError: failed to connect to server [sg-brain-77777.servers.mongodirector.com:27017] on first connect [Error: self signed certificate
W20200510-10:53:22.340(7)? (STDERR)     at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
W20200510-10:53:22.340(7)? (STDERR)     at TLSSocket.emit (events.js:311:20)
W20200510-10:53:22.340(7)? (STDERR)     at TLSSocket.EventEmitter.emit (domain.js:482:12)
W20200510-10:53:22.340(7)? (STDERR)     at TLSSocket._finishInit (_tls_wrap.js:916:8)
W20200510-10:53:22.340(7)? (STDERR)     at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
W20200510-10:53:22.340(7)? (STDERR)   name: 'MongoNetworkError',
W20200510-10:53:22.341(7)? (STDERR)   [Symbol(mongoErrorContextSymbol)]: {}
W20200510-10:53:22.341(7)? (STDERR) }]

error happen after I add import '../imports/api/posts'; in main.js

---- EDITED from meteor forum

I have mongodb database cluster in scalegrid, but I can't connect to it with just like this :

MONGO_URL=mongodb://admin:password@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true meteor run

I tried to use simple mongo connection in terminal

mongo mongodb://admin:password@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true

and stil cant connect with same error : SSL peer certificate validation failed: self signed certificate

and I tried to make it like this :

mongo mongodb://admin:password@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true --ssl --sslCAFile ./.crt

and it works!!!

the problem now, i cant add --ssl --sslCAFile ./.crt in MONGO_URL like this, because it makes error :

MONGO_URL=mongodb://admin:password@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true --ssl --sslCAFile ./.crt meteor run

how to add ssl cert to mongo url?

---

new update I tried :

MONGO_URL=mongodb://admin:password@SG-Brain-77777.servers.mongodirector.com:27017/admin?ssl=true,ssl_ca_certs=./.crt meteor run

and got error :

MongoNetworkError: failed to connect to server [sg-brain-77777.servers.mongodirector.com:27017] on first connect [MongoNetworkError: connection 0 to sg-brain-77777.servers.mongodirector.com:27017 closed

Answer 1

The Solution:

You need to specify the MongoDB SSL CA Certificate in Meteor settings.

Step by Step Guide:

1. Login to Scalegrid and select the cluster for your Meteor app.

2. Scroll to the bottom, and click Get SSL CA Cert

3. Copy the text into a new file private/scalegrid-cert.pem

NOTE: it's safe to commit private/scalegrid-cert.pem to your repo because it contains a public key. Bear in mind some .pem files include private keys and should never be added to a repo.

4. Add the following to your Meteor settings environment variable

  "packages": {
    "mongo": {
      "options": {
        "tls": true,
        "tlsCAFileAsset": "scalegrid-cert.pem"
      }
    }
  }

NOTE: it's "tlsCAFileAsset": "scalegrid-cert.pem"not "tlsCAFileAsset": "private/scalegrid-cert.pem". See the docs for why.

Answer 2

The correct way to specify TLS/SSL options in the connection URI string is different from how it is specified for the mongo shell.

You have two options if you want to specify this on the connection string itself.

1. You can use the tlsCAFile option in the connection string. See - https://docs.mongodb.com/manual/reference/connection-string/#urioption.tlsCAFile This would help you specify the file path to the CA certificate file.

2. The other option is to use the tlsAllowInvalidCertificates. See - https://docs.mongodb.com/manual/reference/connection-string/#urioption.tlsAllowInvalidHostnames If this is set to true, then you wouldn't need to specify the CA cert file at all.

Note that both these options are available only for MongoDB 4.2 and above. Also, read the documentation warning about tlsAllowInvalidCertificates.