By using AWS re:Post, you agree to the Terms of Use

Unable to connect to DocumentDB via SSL from Node Mongoose

0

I have 2 environments in AWS Elastic Beanstalk (EB) running a Node.js application connecting to DocumentDB utilizing the Mongoose framework. One of the environments inexplicably stopped working while the other is working fine. Both are deployed from a CI/CD build server that utilizes the EB CLI to deploy the application code.

The problematic environment generates the following error in the nodejs.log:

  name: 'MongooseTimeoutError',
  reason:
   { Error: unable to get local issuer certificate
       at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
       at TLSSocket.emit (events.js:198:13)
       at TLSSocket._finishInit (_tls_wrap.js:636:8)
     name: 'MongoNetworkError',
     [Symbol(mongoErrorContextSymbol)]: {} },
  [Symbol(mongoErrorContextSymbol)]: {} }

Both use the same connection string as they connect to the same instance

mongodb://*****:*****@docdb-2019-08-**-**-**-**.cluster-**********.us-east-2.docdb.amazonaws.com:27017/db_name?ssl=true&ssl_ca_certs=/etc/ssl/certs/rds-combined-ca-bundle.pem&replicaSet=rs0

The certificate pem file is the same file used for both and is deployed to the instance via EB .ebextensions scripts. It is also the latest rds-combined-ca-bundle. In addition the DocumentDB instance also has the latest 2019 certificate.

Things that I have tried:

  • Connected to the troubled environment's EC2 instance, installed the mongodb shell and was able to successfully connect to the DocumentDB instance using the cert specified in the Mongo connect string.
  • Rebuilt the EB environment via the Elastic Beanstalk web management console.

Kind of stuck and out of ideas at the moment.

asked 3 years ago456 views
2 Answers
0

Had the same issue.. not sure if this breaks with the change in cert to 2019 .. anyway I had to get around this with a code change and removal of the ssl cert location from the connection string.

connect(uri, {useNewUrlParser: true,
        useFindAndModify: false,
        sslCA: [fs.readFileSync("rds-combined-ca-bundle.pem")]}, (err: any)

Edited by: zshack on Jan 6, 2020 8:29 AM

answered 3 years ago
0

zshack, thanks for the info. My current work-around was to turn off ssl for the instance and remove cert from connect string. Not too concerned about it at the moment as this project is still in development and also since DocumentDB is only accessible from within the AWS VPC I think the risk is minimal.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions