Error: self signed certificate in certificate chain for Meteor 1.11

vruzha · September 14, 2020, 4:46pm

Hello everyone,
we’ve updated our app from 1.8 to 1.11 and now we have the following issue with the app deployed into GCP:

MongoNetworkError: failed to connect to server [xxx.appdomain.cloud:xxxxx] on first connect [Error: self signed certificate in certificate chain
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket.emit (events.js:315:20)
W20200914-12:13:33.717(-4)? (STDERR)     at TLSSocket._finishInit (_tls_wrap.js:936:8)
W20200914-12:13:33.718(-4)? (STDERR)     at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
W20200914-12:13:33.718(-4)? (STDERR)   name: 'MongoNetworkError'
W20200914-12:13:33.718(-4)? (STDERR) }]

I’ve checked other threads for the topic, all of them suggest to add a specific section into the METEOR_SETTINGS. We use Docker containers, I can confirm that the METEOR_SETTINGS variable is set and we’ve tried the following 3 variants:

Just ignore invalid certs…

{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
        "tlsAllowInvalidCertificates": true
      }
    }
  }
}

Use cert from /private/mongo_cert.pem. I can confirm that the certificate is a valid one as I was able to connect to our Mongo DB using it. I can also confirm I see this cert deployed, so the file is available.

{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
        "tls": true,
        "tlsCAFileAsset": "mongo_cert.pem"
      }
    }
  }
}

Just forget about certs at all

{
  "public": {
   ...
  },
  "private": {
   ...
  },
  "packages": {
    "mongo": {
      "options": {
         "tlsInsecure": true      
      }
    }
  }
}

None of the options described above seems to be working for us, we still got the error described above.

Please advice… help is very much appreciated.
Thank you!

vruzha · September 14, 2020, 7:30pm

Ok… A quick-fix that seems to be working is to add &tlsInsecure=true to your MongoDB URI. Still looking for the correct way to fix it though.

choucrouteman · June 17, 2021, 7:26am

Hi,

I just had the same issue on Meteor 2.2 connecting to Galaxy Mongo (either locally or from the server itself).
I am still in dev phase so I don’t want to bother with a proper certificate yet.
I had been using tlsAllowInvalidCertificates as an option for the mongo package in settings.json and it was working fine.

Just a couple of days ago I started to have the error again and managed to fix it with adding &tlsAllowInvalidCertificates=true to the mongo URI (but not &tlsInsecure=true). I guess this is slightly more secure.

However, I don’t understand why this settings that used to be taken into account is not anymore?

robgordon · July 19, 2021, 1:58am

choucrouteman
FYI tlsAllowInvalidCertificates seems to be working again in 2.3.2

ochirouze · August 5, 2021, 3:25pm

I confirm!

Thanks Rob.

Olivier