1

I'm having problems connecting to mongodb with ssl, first all I could connect mongodb with an application java without any problem, but when I connect from server application like Jetty with spring boot I can't connect to mongodb. Curiously I could connect to mongodb with eclipse.

Java code to connect:

String trustStorePath = "/path/ssl_keystore_mongodb";
String trustStorePassword = "somePassword";
String uri = "mongodb://admin:password@domain1:31251,domain2:31251/my-db?authSource=admin&ssl=true";
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
MongoClient mongoClient = new MongoClient(new MongoClientURI(uri);

Code works fine without server application but with server application the output is:

com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 169.47.75.121 found}, caused by {java.security.cert.CertificateException: No subject alternative names matching IP address 169.47.75.121 found}}, {address=sl-us-south-1-portal.14.dblayer.com:31251, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xx.xx.xxx found}, caused by {java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xx.xx.xxx found}}]

My ssl certificate:

Owner: [email protected]
Issuer: [email protected]
Serial number: 5a4d0994
Valid from: Wed Jan 03 11:49:24 PET 2018 until: Sun Jan 03 11:00:00 PET 2038
Certificate fingerprints:
     MD5:  94:EC:B1:49:BB:56:B9:4B:E3:FC:D3:FE:74:C8:FA:D8
     SHA1: EA:95:CC:45:43:E4:DA:12:EA:6C:D6:3F:8D:D3:0A:E6:C5:62:B3:96
     SHA256: 9F:A9:AA:84:83:33:BB:B7:39:50:3A:8B:11:3D:B6:07:CD:7E:6D:C3:29:F8:9C:21:4C:B5:47:65:86:19:E7:73
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 61 71 23 3E FF 31 E2 D1   C0 D0 23 F6 4A 1F 0E 55  aq#>.1....#.J..U
0010: B3 28 1D 69                                        .(.i
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 61 71 23 3E FF 31 E2 D1   C0 D0 23 F6 4A 1F 0E 55  aq#>.1....#.J..U
0010: B3 28 1D 69                                        .(.i
]
]

The certificate is provided by IBM. How can I solve this issue?

Improve this question

1 Answer 1

Reset to default
1

This Exception says that you're waiting for a certificate with a CN (or SAN) containing an IP instead of an FQDN. For any reason you're requesting https://169.47.75.121 instead of https://sl-us-south-1-portal.14.dblayer.com

How to solve ? By letting the DNS doing its job. Check all of your config files and code, if they contain this IP remove it. Check also your hosts files on each computer, add references where needed. If you still can't find why this happens, another method is to disable the certificate validation as explained in the doc Host name verification

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, I could solve my problem by adding: mongoClient = new MongoClient(new MongoClientURI(uri, MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(true)));
where's the reward ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.