Can't connect to MongoDB via SSL and certificate

[markuswinkler]

I am trying to run a local parse-server for development that connects to the hosted mongoDB instance on compose.io via SSL.

Compose.io provides a custom SSL certificate. I can successfully connect via
mongo --ssl aws....com:10637/dbname -u <user> -p <password> --sslCAFile=compose_io.pem

However, if I specify the URL in the parse server config file with ssl=true I am getting the following error message at the console when an app (e.g. dashboard) tries to connect:

Uncaught internal server error. { [MongoError: unable to verify the first certificate]
  name: 'MongoError',
  message: 'unable to verify the first certificate' } Error: unable to verify the first certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1057:38)
    at emitNone (events.js:80:13)
    at TLSSocket.emit (events.js:179:7)
    at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:596:8)
    at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:428:38)

I found this article on compose.io regarding SSL connections:
https://www.compose.io/articles/one-missing-key-and-how-it-broke-node-js-and-mongodb/

I can't seem to find though options to specify the certificate in the parse-server config.
Trusting the certificate in the OSX keychain doesn't help either.

What am I missing?

[flovilmart]

#956 This should solve your issue

[markuswinkler]

Great! (and just commited 4 days ago. phew!)

How can I specify the options? I tried to read through the commit code but I am not very familiar with node.js

I know that the code goes into index.js at the root. I am just not sure how to call it.
This is what I tried (below var api = new ParseServer({ ... });), but it can't obviously find DatabaseAdapter and I am not sure how to invoke it in the right way.

var fs = require('fs');
var ca = [fs.readFileSync(__dirname + "/compose_io.pem")];
DatabaseAdapter.setAppDatabaseOptions(process.env.APP_ID, {
    ssl: true,
    sslValidate: true,
    sslCA: ca,
    poolSize: 1,
    reconnectTries: 1
});

Thank you!

[flovilmart]

Just pass databaseOptions: {... Your options} when you initialize ParseServer.

[markuswinkler]

Hmm, it executes, but there is no difference,
still can't connect. Am I using the right format?

var fs = require('fs');
var ca = [fs.readFileSync(__dirname + "/compose_io.pem")];

var api = new ParseServer({
    databaseURI: databaseUri,
    databaseOptions: {
        ssl: true,
        sslValidate: true,
        sslCA: ca,
        ca: ca
    },
    cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
    appId: process.env.APP_ID,
    masterKey: process.env.MASTER_KEY,
    serverURL : process.env.SERVER_URL,
    facebookAppIds : process.env.PARSE_SERVER_FACEBOOK_APP_IDS,
    oauth : {
        facebook: {
            appIds: process.env.PARSE_SERVER_FACEBOOK_APP_IDS
        }
    }
});

[flovilmart]

@steven-supersolid ? Ideas?

[steven-supersolid]

There is another level of option within options that you need to specify - server.
http://mongodb.github.io/node-mongodb-native/2.1/reference/connecting/connection-settings/
(Individual Server Level Options)

I've successfully used this to modify the connection pool max size but have not tried SSL yet. I think it should be similar.

E.g.

 databaseOptions: {
   server: {
        ssl: true,
        sslValidate: true,
        sslCA: ca,
        ca: ca
      }
    },

[markuswinkler]

That seems to work, at least I am not getting any error messages anymore. :)

The parse dashboard is empty though despite data in the DB.
Compose.io uses MongoDB 3.2.1,
could it be that this is a problem, too? (I am not using the WiredTiger option)

[flovilmart]

1. is there data in the DB?
2. is the parse dashboard connecting correctly
3. can you run a query into the API explorer?

[markuswinkler]

1. yes
2. yes, as far as I can tell.
   I currently have 2 entries, one pointing to parse.com to see if the dashboard works (it does),
   and the second one pointing to my local server. Before the databaseOptions->server
   setting there were always connection errors on the console of ParseServer.
   These are gone now, but the Dashboard is empty
3. query runs if parse.com is the target (/users), for my local install there is nothing happening at all.
   If I try to export the query to cURL the url at the end points to parse instead of my local install.
   what is the api endpoint for curl on a local install? I tried http://localhost:1337/1/users, didn't work.

[flovilmart]

it depends where you mount your api

[markuswinkler]

ah, ok! A cURL request (based on what to API console tells me) to http://localhost:1337/parse/users times out.

curl -X GET -H "X-Parse-Application-Id: xxxx" -H "X-Parse-Master-Key: yyyy" http://localhost:1337/parse/users
curl: (52) Empty reply from server

(xxxx and yyyy are valid values)

[IlyaDiallo]

@markuswinkler same problem here (can't connect to Compose.io with SSL). Tried databaseOptions, error message goes away, but the DB doesn't answer.

[flovilmart]

have you seen that? http://stackoverflow.com/questions/35439871/connecting-to-compose-io-mongodb-deployment-using-ssl-and-mongos-through-mongoos

[markuswinkler]

That fixed it! Works now, thanks a lot! 👍

[swami701]

@steven-supersolid Could you please let me know, how did you change the poolSize using databaseOptions. If you share the sample databaseOptions, that would be great. I don't know which one is correct

databaseOptions: {
   server: {
        poolSize: 100,
  }
},

or

databaseOptions: {
   replSet: {
        poolSize: 100,
  }
},

[abbasdawood]

This no longer works, a warning is thrown with

databaseOptions:{ server: { ... } }

the error being:

the server/replset/mongos options are deprecated, all their options are supported at the top level 
of the options object [poolSize,ssl,sslValidate,sslCA,sslCert,sslKey,sslPass,sslCRL,autoReconnect,
noDelay,keepAlive,connectTimeoutMS,socketTimeoutMS,reconnectTries,reconnectInterval,ha,
haInterval,replicaSet,secondaryAcceptableLatencyMS,acceptableLatencyMS,connectWithNoPrimary,
authSource,w,wtimeout,j,forceServerObjectId,serializeFunctions,ignoreUndefined,raw,promoteLongs,
bufferMaxEntries,readPreference,pkFactory,promiseLibrary,readConcern,maxStalenessSeconds,loggerLevel,logger,
promoteValues,promoteBuffers,promoteLongs,domainsEnabled,keepAliveInitialDelay,
checkServerIdentity,validateOptions]

Still no luck trying to solve this, I keep getting

You have triggered an unhandledRejection, you may have forgotten to catch a Promise rejection:
 connection 0 to mydb.domain.com:27017 closed

[flovilmart]

that's an error thrown from the mongoDB nodejs client, you should probably check with them instead

[flovilmart]

Also, given the error, you should basically move everything at the top level, as mentioned in the error:

databaseOptions: {
  poolSize: 100
}

[abbasdawood]

Thanks for the direction @flovilmart.

I moved all of this to the top level (ssl, sslCert, sslKey, sslCA) as mentioned in the docs. There's been a change in the options. This varies somewhat from the options mentioned in this tutorial.

[flovilmart]

Yeah, you should probably report it to mongo :)