Error: self signed certificate in certificate chain for Meteor 1.11

Hello everyone,
we’ve updated our app from 1.8 to 1.11 and now we have the following issue with the app deployed into GCP:

MongoNetworkError: failed to connect to server [xxx.appdomain.cloud:xxxxx] on first connect [Error: self signed certificate in certificate chain
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket.emit (events.js:315:20)
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket._finishInit (_tls_wrap.js:936:8)
W20200914-12:13:33.718(-4)? (STDERR)     at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
W20200914-12:13:33.718(-4)? (STDERR)   name: 'MongoNetworkError'
W20200914-12:13:33.718(-4)? (STDERR) }]

I’ve checked other threads for the topic, all of them suggest to add a specific section into the METEOR_SETTINGS. We use Docker containers, I can confirm that the METEOR_SETTINGS variable is set and we’ve tried the following 3 variants:

  1. Just ignore invalid certs…
{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
        "tlsAllowInvalidCertificates": true
      }
    }
  }
}

  1. Use cert from /private/mongo_cert.pem. I can confirm that the certificate is a valid one as I was able to connect to our Mongo DB using it. I can also confirm I see this cert deployed, so the file is available.
{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
        "tls": true,
        "tlsCAFileAsset": "mongo_cert.pem"
      }
    }
  }
}

  1. Just forget about certs at all
{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
         "tlsInsecure": true      
      }
    }
  }
}

None of the options described above seems to be working for us, we still got the error described above.

Please advice… help is very much appreciated.
Thank you!

Ok… A quick-fix that seems to be working is to add &tlsInsecure=true to your MongoDB URI. Still looking for the correct way to fix it though.

Hi,

I just had the same issue on Meteor 2.2 connecting to Galaxy Mongo (either locally or from the server itself).
I am still in dev phase so I don’t want to bother with a proper certificate yet.
I had been using tlsAllowInvalidCertificates as an option for the mongo package in settings.json and it was working fine.

Just a couple of days ago I started to have the error again and managed to fix it with adding &tlsAllowInvalidCertificates=true to the mongo URI (but not &tlsInsecure=true). I guess this is slightly more secure.

However, I don’t understand why this settings that used to be taken into account is not anymore?

choucrouteman
FYI tlsAllowInvalidCertificates seems to be working again in 2.3.2

I confirm!

Thanks Rob.

Olivier