1

I am trying to connect to our AWS DocumentDB, but it fails with the following error:

2019-12-04T17:46:52.551-0800 W  CONTROL  [main] Option: ssl is deprecated. Please use tls instead.
2019-12-04T17:46:52.551-0800 W  CONTROL  [main] Option: sslCAFile is deprecated. Please use tlsCAFile instead.
2019-12-04T17:46:52.551-0800 W  CONTROL  [main] Option: sslAllowInvalidHostnames is deprecated. Please use tlsAllowInvalidHostnames instead.
MongoDB shell version v4.2.1
connecting to: mongodb://insights-db-2019-08-12-18-32-13.cih94xwdmniv.us-west-2.docdb.amazonaws.com:27017/?compressors=disabled&gssapiServiceName=mongodb
2019-12-04T17:46:52.684-0800 E  NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_CSP_UNSUPPORTED_KEY_SIZE; connection rejected
2019-12-04T17:46:52.685-0800 E  QUERY    [js] Error: couldn't connect to server insights-db-2019-08-12-18-32-13.cih94xwdmniv.us-west-2.docdb.amazonaws.com:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_CSP_UNSUPPORTED_KEY_SIZE; connection rejected :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2019-12-04T17:46:52.687-0800 F  -        [main] exception: connect failed
2019-12-04T17:46:52.687-0800 E  -        [main] exiting with code 1

The command I use: mongo --ssl --host MY_DOCUMENT_DB_HOST_AND_PORT --sslCAFile MY_KEY_PATH --username MY_USERNAME --password MY_PASSWORD

A couple troubleshooting I already tried:

  • Sent the exact same command and key to another Mac OS X machine on the same network --> worked fine
  • Uninstalled and reinstalled my mongo app mongodb-community@4.2
Stennie
  • 63,885
  • 14
  • 149
  • 175
Vargha Hokmran
  • 61
  • 1
  • 7

2 Answers2

1

Try adding the rds-combined-ca-bundle.pem certificate to your Mac, I had a very similar error when trying to connect to DocumentDb using localhost through a forwarded port, the command I ran is

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rds-combined-ca-bundle.pem

I got this command from this answer

omaraguirre
  • 154
  • 5
1

For those hitting this issue post 2020, see the last reply in this thread: https://forums.aws.amazon.com/message.jspa?messageID=936916

Mac OS X Catalina has updated the requirements for trusted certificates. Trusted certificates must now be valid for 825 days or fewer (see https://support.apple.com/en-us/HT210176). Amazon DocumentDB instance certificates are valid for over four years, longer than the Mac OS X maximum. In order to connect directly to an Amazon DocumentDB cluster from a computer running Mac OS X Catalina, you must allow invalid certificates when creating the TLS connection. In this case, invalid certificates mean that the validity period is longer than 825 days. You should understand the risks before allowing invalid certificates when connecting to your Amazon DocumentDB cluster.

To connect to an Amazon DocumentDB cluster from OS X Catalina using the AWS CLI, use the tlsAllowInvalidCertificates parameter.

mongo --tls --host <hostname> --username <username> --password <password> --port 27017 --tlsAllowInvalidCertificates

Basically, just ignore invalid certificates.

Donovan Muller
  • 3,822
  • 3
  • 30
  • 54