1

When trying to connect to AWS DocumentDB using mongocxx C++ driver, even after using the AWS combined pem file as a URI parameter (CA file), I get the below error of TLS handshake failed.

No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'docdb-xxxxxxxx.ap-southeast-1.docdb.amazonaws.com:27017']: generic server error

I have masked out the full hostname of the documentdb instance. I am using the connection URI method mentioned in http://mongocxx.org/mongocxx-v3/configuration/

// 2) Using the URI
auto client2 = mongocxx::client{uri{"mongodb://host1/?tls=true&tlsAllowInvalidCertificates=true&tlsCAFile=/path/to/custom/cert.pem"}};

I am using mongocxx 3.4.2 and libmongoc 1.16.2

I have tried this connection with the Node.js driver and it is able to connection. Any ideas what could be wrong?

Jonathan Declan Tan
  • 141
  • 1
  • 11
  • You are not passing options correctly or you are using an old version of the driver that does not recognize the options. – D. SM Aug 06 '20 at 13:03
  • @D.SM I have added the versions I am using, and as mentioned I have followed the example on the mongocxx site , are you saying that there older versions of drivers that do not support TLS? – Jonathan Declan Tan Aug 06 '20 at 17:19
  • The slashes in the path must be escaped. – D. SM Aug 06 '20 at 19:59
  • What does " generic server error" mean there? Is the error being produced by the server? – D. SM Aug 06 '20 at 20:02
  • The tls* options are a relatively recent addition. – D. SM Aug 06 '20 at 20:03
  • Couple of questions - are you connecting from a client machine inside the VPC? What TLS cert are you using when authenticating? – meet-bhagdev Aug 11 '20 at 23:14

1 Answers1

0

I was trying to connect to my DocumentDB cluster on AWS via an external app like TablePlus and I had the same error:

No suitable servers found 
(`serverSelectionTryOnce` set): [Failed to resolve 'docdb-1984-08-10-12-14-15.cluster-boogeyman.xy-central-99.docdb.amazonaws.com']

What I tried next is to:

  1. open all sort of incoming traffic in the security group assigned to my cluster
  2. made sure that "Encryption-at-rest" (in Advanced Settings) is disabled while creating the cluster

I still got this error. What I discovered next is that:

Trying to connect to an Amazon DocumentDB cluster directly from a public endpoint, such as your laptop or local development machine, will fail. Amazon DocumentDB is virtual private cloud (VPC)-only and does not currently support public endpoints. Thus, you can't connect directly to your Amazon DocumentDB cluster from your laptop or local development environment outside of your VPC.

Please read the AWS connection troubleshooting section. To connect to an Amazon DocumentDB cluster from outside an Amazon VPC, you can use an SSH tunnel.

TruthTeller
  • 186
  • 2
  • 9