mongodbopenssl

MongoDB and Compass won't TLS with Custom CA certs made with OpenSSL

This is a connected to previous question I asked:

Compass and MongoDB VPS instance won't establish TLS connection

where Wernfried Domscheit provided the solution, which raised further question.

Just like Wernfried Domscheit pointed out, if you know URL of MongoDB instance and you happen to know that LetsEncrypt certs are used for TLS, then nothing is stopping you from generating your own LetsEncrypt certs for this URL and connecting to MongoDB. The established fact is MongoDB only verifying the CA and validity of the cert and isn't verifying the contents of the cert provided by the client.

The non-obvious solution found that made Compass talk to MongoDB instance on VPS was to use LetsEncrypt certs generated by Certbot. The 2 files are used:

  1. certKey.pem, which has host certificate and privkey;
  2. intermRoot.pem, which has chain.pem and rootCA certitifates, wherein the RooCA is downloaded from LetsEncrypt website.

Those are attached to mongodb.conf end. Compass is happy to use certKey only. Connection establishes just fine. Apparently, not happy days, because it's fake TLS security - like explained above.

The truly secure solution would be make own, custom CA, which nobody can dodge, that MongoDB is actually verifying.

With OpenSSL I generated the custom CA, the host cert and the intermediate cert and they do pass verification against rootCA. But MongoDB isn't happy:

{"t":{"$date":"2024-12-07T22:13:18.040+00:00"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"conn56","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: unsuitable certificate purpose"}}

Any ideas on how to fix this are appreciated.

Edit:

RootCA cert:

-----BEGIN CERTIFICATE-----
MIIDKzCCAhMCFBCXAonuPQiO/8CyrfFEp6KXMllOMA0GCSqGSIb3DQEBDQUAMFIx
CzAJBgNVBAYTAkFVMREwDwYDVQQIDAhWaWN0b3JpYTESMBAGA1UEBwwJTWVsYm91
cm5lMRwwGgYDVQQDDBNNeSBQZXJzb25hbCBSb290IENBMB4XDTI0MTIwNzE0MzYz
N1oXDTQ0MTIwOTE0MzYzN1owUjELMAkGA1UEBhMCQVUxETAPBgNVBAgMCFZpY3Rv
cmlhMRIwEAYDVQQHDAlNZWxib3VybmUxHDAaBgNVBAMME015IFBlcnNvbmFsIFJv
b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3PDg68NKgWjYk
PejWXSZDcqwOcS+BPdqk63qDAqTGjeKwy/4pmVL7r+NYGhBBy+bsBMopD10adCQt
AIDdvgW6sHdvIaLWvsTx1ciFaOzqHpwIpdXyai5wHdnfVyeWJyU/QOoGh9prfL8Z
BOICzTzTkXbLGf8rKig5QoGxfazFDlryrVcB/6/0iTclS1zXNWsU02nzAs+8ZTaK
vUKrkJxKMzxj7ymjjgDWLFLrK9z1sjcNNPJmrl+bMIY06+U8ds4JUd7s31pgMUTe
PvULjpInwvMPWNCTndPMExu7KCdS8BTil6nIeujr3z1HVVGnUfskAwedE3Ec3EQI
O2sbJ65nAgMBAAEwDQYJKoZIhvcNAQENBQADggEBACnKuXf0mZF2mJ0JCyBTbFd2
4vYjq7OHApfbh2LaTL5ilBdNH5SgdoQhUH2hVURW4qWLrezl3A+WrQM7MTg5pW9s
HtxIvf9vquxN5fYVMjducpk5kp9/ggdowxa7PyG0pFJQTTe2ja1gp1lcCy3uQ0TN
QT9GMi5eVj2KPblbTIHQ1CtcpvbRUbtoLjR+uUxco0Mdsv8kbPZ/YWEkWfssqGB/
6FSIqw18bSgwed50+fy/mF+qFp3zWT0WN/OtacLDzDLkfFicpasEnSUzNe4DcFmr
zu3iiXjfO7RuqH1yaeWEv7xsBJJNyG7T2ZwF4awpD2ivbytNhkjvxsfc6EW7oIo=
-----END CERTIFICATE-----

Intermediate cert:

-----BEGIN CERTIFICATE-----
MIIDKzCCAhMCFBCXAonuPQiO/8CyrfFEp6KXMllOMA0GCSqGSIb3DQEBDQUAMFIx
CzAJBgNVBAYTAkFVMREwDwYDVQQIDAhWaWN0b3JpYTESMBAGA1UEBwwJTWVsYm91
cm5lMRwwGgYDVQQDDBNNeSBQZXJzb25hbCBSb290IENBMB4XDTI0MTIwNzE0MzYz
N1oXDTQ0MTIwOTE0MzYzN1owUjELMAkGA1UEBhMCQVUxETAPBgNVBAgMCFZpY3Rv
cmlhMRIwEAYDVQQHDAlNZWxib3VybmUxHDAaBgNVBAMME015IFBlcnNvbmFsIFJv
b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3PDg68NKgWjYk
PejWXSZDcqwOcS+BPdqk63qDAqTGjeKwy/4pmVL7r+NYGhBBy+bsBMopD10adCQt
AIDdvgW6sHdvIaLWvsTx1ciFaOzqHpwIpdXyai5wHdnfVyeWJyU/QOoGh9prfL8Z
BOICzTzTkXbLGf8rKig5QoGxfazFDlryrVcB/6/0iTclS1zXNWsU02nzAs+8ZTaK
vUKrkJxKMzxj7ymjjgDWLFLrK9z1sjcNNPJmrl+bMIY06+U8ds4JUd7s31pgMUTe
PvULjpInwvMPWNCTndPMExu7KCdS8BTil6nIeujr3z1HVVGnUfskAwedE3Ec3EQI
O2sbJ65nAgMBAAEwDQYJKoZIhvcNAQENBQADggEBACnKuXf0mZF2mJ0JCyBTbFd2
4vYjq7OHApfbh2LaTL5ilBdNH5SgdoQhUH2hVURW4qWLrezl3A+WrQM7MTg5pW9s
HtxIvf9vquxN5fYVMjducpk5kp9/ggdowxa7PyG0pFJQTTe2ja1gp1lcCy3uQ0TN
QT9GMi5eVj2KPblbTIHQ1CtcpvbRUbtoLjR+uUxco0Mdsv8kbPZ/YWEkWfssqGB/
6FSIqw18bSgwed50+fy/mF+qFp3zWT0WN/OtacLDzDLkfFicpasEnSUzNe4DcFmr
zu3iiXjfO7RuqH1yaeWEv7xsBJJNyG7T2ZwF4awpD2ivbytNhkjvxsfc6EW7oIo=
-----END CERTIFICATE-----

Host cert:

-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIUejOjYnAVg6oq1thcFJGcS6b72UAwDQYJKoZIhvcNAQEN
BQAwUjELMAkGA1UEBhMCQVUxETAPBgNVBAgMCFZpY3RvcmlhMRIwEAYDVQQHDAlN
ZWxib3VybmUxHDAaBgNVBAMME015IFBlcnNvbmFsIFJvb3QgQ0EwHhcNMjQxMjA3
MTQ0MTE1WhcNMjUwMTIxMTQ0MTE1WjB4MQswCQYDVQQGEwJBVTERMA8GA1UECAwI
VmljdG9yaWExEjAQBgNVBAcMCU1lbGJvdXJuZTETMBEGA1UECgwKTXkgQ29tcGFu
eTEUMBIGA1UECwwLTXkgRGl2aXNpb24xFzAVBgNVBAMMDmdpZnRidXR0b24uY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArnj+uLHifdYMgojGlsNk
w6OKfQhn0xpw+erfCkH2QUt7eOqIEbIk6XuckQbjaSCSzgQ9l90xkqDSe7Ynujcd
j56j/Wx9fv4P4eQufZFBaBaNrCX5mN92mbHw1zQh0bXtBaAFEYFanzbf0P8LovxB
1n1/wuUcFvJMtwDM8YGE0PiQYVT7JBdF/4FQpNtXG9FqY5yapzVlxqDMZZRqWqaR
5lOog5IEUozuETV5t8r/700KBdo4EL3hYzJSQCdhm1o5H01U4dCtlTiZj3lcFrqd
/ts58jPa2MrG6drr3OsPMOsEmk10bnNzRolVYDnHxWSNqkmPSAPRbvhZERwNagq4
uQIDAQABo4IBMDCCASwwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwIwYJ
YIZIAYb4QgENBBYWFE15IEZpcnN0IENlcnRpZmljYXRlMB0GA1UdDgQWBBT6KuPK
w8mShCoapIBBeZv7kMWmxzB3BgNVHSMEcDBuoVakVDBSMQswCQYDVQQGEwJBVTER
MA8GA1UECAwIVmljdG9yaWExEjAQBgNVBAcMCU1lbGJvdXJuZTEcMBoGA1UEAwwT
TXkgUGVyc29uYWwgUm9vdCBDQYIUEJcCie49CI7/wLKt8USnopcyWU4wCwYDVR0P
BAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMC0GA1UdEQQmMCSCDmdpZnRidXR0
b24uY29tghJhcGkuZ2lmdGJ1dHRvbi5jb20wDQYJKoZIhvcNAQENBQADggEBAJlM
5XBqTqgvv9HTdlFCURL7thbRte64O9g/ZUZa7TzibrI/GIp5QcPwlnecE4Ks5DjE
86/oOhDpHOeZDKS9c5ow0w0X5V0I7iBwmnUWSJGlhtkiCawTSymCvRCTqs9B9YzK
Ql1kC6P7+v2FJ4a57eRoX3zIF8v4nC23Z2V0KLd+weQBeS/xe5JKB6KbSpcZDyKL
jWg4NdhO0fJligsS+UnTXYMzbLUc7tJcR20TdmQrwLYKQ85r3NobQcpYDPMmbdP5
DATrwZth+P7jelnrhY0Hq4z6M4j6ijxO38OQBskAX3SiHyTS6yjKJLcbe3iL7d7O
RqMTbhcmy15afny2Qw8=
-----END CERTIFICATE-----
Solution

  • I assume the wrong intermediate certificate is just a mistake from your side.

    So, focus on your error. unsuitable certificate purpose indicates that you have wrong certificate purpose:

    > openssl x509 -in giftbutton.com.crt -noout -ext extendedKeyUsage,keyUsage,nsComment
Netscape Comment:
    My First Certificate
X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication

    I guess, you try to use this certificate at Compass. This is a server certificate, however at Compass you need to create a client certificate, i.e. you need to set TLS Web Client Authentication.

    Why did you set Non Repudiation? This property and the Netscape extensions are not needed.

    Regarding intermediate certificates: On public web servers you have usually a Root-CA and an Intermediate-CA. In general there is no technical reason for it, it is more driven by organization challenges. Imagine the Let's Encrypt Root-CA would be compromised - there are billions of devices and browsers who trust in this Root-CA. It would be really a huge effort to remove and update this Root-CA on billions of devices. That's the reason for Intermediate-CA. If an Intermediate-CA gets compromised (maybe by an vindictive and angry service desk employee) then it is rather simple to revoke this Intermediate-CA in the Root-CA CRL.

    Most likely in Let's Encrypt, only the CEO and CTO may have access to the private key of their Root-CA's in order to keep them protected.

    In your small or private environment there is no technical reason to create any Intermediate-CA. In case your Root-CA gets compromised then you can simply replace the CA and the end-entity certificates.