Can't connect with Mongodb 3.0, 3.2 with ssl

[reinaldomendes]

Hi,

I'm trying this tutorial but I have some problem with ssl.

https://www.vaultproject.io/docs/secrets/mongodb/index.html

When I execute the command bellow I have this error occours.

vault write mongodb/config/connection uri="mongodb://root:MyPassword!@mongodb.docker:27017/admin?ssl=true&authSource=admin"

Error writing data to mongodb/config/connection: Error making API request.

URL: PUT https://vault.docker:8200/v1/mongodb/config/connection
Code: 400. Errors:

* Error validating connection info: no reachable servers

If I disable ssl it works.

vault write mongodb/config/connection uri="mongodb://root:MyPassword!@mongodb.docker:27017/admin?authSource=admin"

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection URI as it is, including passwords, if any.

I'm already configured the ca.pem key and certs for mongo.
I can connect in mongo with ruby and by terminal.

In ruby I can connect with:

   Mongo::Client.new(['mongodb.docker:27017'],ssl:true,ssl_ca_cert: '...',:ssl_cert:'...',ssl_key:'..',database:'admin',user:'root',password:'MyPassword!')

So I think that I need to inform client and CA certs for vault write command, but I don't found a way to do that.

On the container of MongoDb I have those logs when I connect with error occours.

016-10-12T22:42:00.839+0000 I NETWORK  [conn42] end connection 172.17.0.2:60952 (0 connections now open)
2016-10-12T22:42:02.190+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60956 #43 (1 connection now open)
2016-10-12T22:42:02.191+0000 I NETWORK  [conn43] end connection 172.17.0.2:60956 (0 connections now open)
2016-10-12T22:42:02.862+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60958 #44 (1 connection now open)
2016-10-12T22:42:02.863+0000 I NETWORK  [conn44] end connection 172.17.0.2:60958 (0 connections now open)
2016-10-12T22:42:03.534+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60960 #45 (1 connection now open)
2016-10-12T22:42:03.535+0000 I NETWORK  [conn45] end connection 172.17.0.2:60960 (0 connections now open)
2016-10-12T22:42:04.891+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60962 #46 (1 connection now open)
2016-10-12T22:42:04.892+0000 I NETWORK  [conn46] end connection 172.17.0.2:60962 (0 connections now open)
2016-10-12T22:42:05.567+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60966 #47 (1 connection now open)
2016-10-12T22:42:05.568+0000 I NETWORK  [conn47] end connection 172.17.0.2:60966 (0 connections now open)
2016-10-12T22:42:06.234+0000 I NETWORK  [initandlisten] connection accepted from 172.17.0.2:60968 #48 (1 connection now open)
2016-10-12T22:42:06.236+0000 I NETWORK  [conn48] end connection 172.17.0.2:60968 (0 connections now open)

[vishalnayak]

@reinaldomendes vault write --help should show the relevant options.

[reinaldomendes]

@vishalnayak none of options on vault write --help is useful in this case.
I already set those variables bellow.
VAULT_ADDR
VAULT_CACERT
VAULT_CLIENT_CERT
VAULT_CLIENT_KEY

With this certs I can connect on mongodb and on vault server, but if we use ssl to write config on mongodb secret backend It's doesn't works.

[vishalnayak]

@reinaldomendes It looks like Vault parses the URL provided to handle the ssl being set to true, instead of relying on the underlying mongo driver API. The problem is that the mongo DB driver that Vault uses (https://gopkg.in/mgo.v2) is not supporting TLS option parsing natively in its API (See https://github.com/go-mgo/mgo/issues/84).

The only way to make this work is to provide cert options on the URL and having Vault populate the tlsConfig with certs. I don't particularly like this option since the URL parsing will become more Vault specific than it already is with ssl=true, but I don't see an alternative either.

If anyone wants to tackle this, we would be happy to review a PR.

[bmocm]

How about just adding more parameters to the database/config endpoint similar to the Cassandra plugin rather than customize the URI parsing? Adding sslPEMKey and sslCA should cover it. That would be similar to the MongoDB parameters. Or follow the Cassandra approach with pem_json/pem_bundle. For my use case the pem_json would be most useful as I am getting the certificates from Vault. I can implement that if there is interest.

[ewolkowicz]

This is a bit old but with Vault 0.8.3 and Mongo 3.4.7 we get the same error trying to write a mongo config when passing the ssl parameter "?ssl=true"

URL: PUT https://vault/v1/database/config/mongodb
Code: 400. Errors:

* error creating database object: error verifying connection: no reachable servers

It looks like Vault had implemented a work-around for the driver to parse the url for those parameters here https://github.com/hashicorp/vault/blob/master/plugins/database/mongodb/connection_producer.go#L141 but I'm not sure it's actually working. Are there any known fixes at this time?

[jefferai]

A simple way to check whether that code is being hit would be to change the ssl parameter to something like nope -- it should then cause an error.

[ewolkowicz]

@jefferai I did test that out and it was parsing the parameter correctly. Ex:

* error creating database object: error verifying connection: bad value for ssl: borkbork

I did manage to figure out our issue though. We are using Vault as the CA for our Mongo certs, among others, so I had figured it would recognize the cert being presented, but I ended up having to import Vault's CA cert into the OS ca-certs (Ubuntu being /usr/local/share/ca-certificates/) and then restart Vault. Once Vault was back up everything worked as expected. This is an easy change for me, but I initially thought Vault would be able to compare the cert against its own CA first. The irony there is I had planned on importing the CA's from Vault as a default across the board but decided against it (until now).

For those interested, this was the error that Vault was presenting in the Mongo log which made me realize we had to import the CA:

2017-10-05T15:52:50.916+0000 E NETWORK [conn136155] SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

Everything is working as expected.

[sujithktkm]

Any updates on this? I'm trying to configure mongodb-database-plugin on Vault 0.10.4 and ran into similar issue where Vault throws an error saying - ```Code: 400. Errors:

• error creating database object: error verifying connection: no reachable servers```

This is because my Mongo replica set configuration requires SSL connection. If I change this config to allow non-ssl connections, it works just fine.