search

jeroen / mongolite

Fast and Simple MongoDB Client for R
https://jeroen.github.io/mongolite/
284 stars 64 forks source link

TLS issue #219

Open Karakaii opened 3 years ago

Karakaii commented 3 years ago

Hello, I used to use mongolite to access my MongoDB Atlas databases. However, one day, I just started getting this error whenever I try to access my database.

> players <- mongo("players", url = uri)$find(
+     fields='{}'
+ )
Error: No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'XXXX:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'XXXX:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_c

(I have replaced the name of my cluster with XXXX).

I have mongolite version 2.3.1. I also tried by installing the GitHub version. I tried updating all my packages. I tried reinstalling my packages, reinstalling R and R Studio. I tried on VPN and on my own wifi connection. I am on Windows 1, R version 4.1.0., R Studio Version 1.4.1106.

I know someone else on Windows who can use mongolite to access the database. I can't seem to find a solution to this problem. Could you help me, please?

herrseverin commented 3 years ago

Hey,

There have been changes on MongoDB Atlas’ certificates. Could this relate maybe to your problem ?

I quote from an email I received from MongoDB:

„ new TLS certificates created by MongoDB Atlas will use ISRG as its root instead of IdenTrust as of May 1, 2021. This change is in line with the transition made by Let’s Encrypt, the Certificate Authority (CA) used by MongoDB Atlas to issue TLS certificates for all Atlas clusters. Project owners in your organization should have received notification of this change in October 2020, with subsequent reminders sent in March and April 2021.

Atlas uses TLS to ensure that all network traffic to and from the cluster is encrypted. Atlas cluster certificates are rotated every 45 days, so your cluster will move from the IdenTrust to the ISRG root between May 1, 2021 and July 1, 2021.“

Best, Severin

Am 20.05.2021 um 19:50 schrieb Karakaii @.***>:

 Hello, I used to use mongolite to access my MongoDB Atlas databases. However, one day, I just started getting this error whenever I try to access my database.

players <- mongo("players", url = uri)$find(

  • fields='{}'
  • ) Error: No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'XXXX:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'XXXX:27017'] [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_c (I have replaced the name of my cluster with XXXX).

I have mongolite version 2.3.1. I also tried by installing the GitHub version. I tried updating all my packages. I tried reinstalling my packages, reinstalling R and R Studio. I tried on VPN and on my own wifi connection. I am on Windows 1, R version 4.1.0., R Studio Version 1.4.1106.

I know someone else on Windows who can use mongolite to access the database. I can't seem to find a solution to this problem. Could you help me, please?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Karakaii commented 3 years ago

Hi @herrseverin, Thank you for your reply. I imagine it would have to do with that. But I don't understand why I can't access the database with mongolite, whereas my colleague can...

If it was about the certificates, is there a solution on the mongolite side? Or would I have to change the certificates on my MongoDB Atlas cluster?

jeroen commented 3 years ago

Are your colleagues using the same version of mongolite on Windows?

Perhaps there is an issue with your Windows certificate settings. Have you installed the latest Windows updates? As a workaround perhaps you can disable cert validation:

m <- mongo(......, options = ssl_options(weak_cert_validation = T))

This topic suggests some versions of Windows are missing the new ISRG cert, however I would guess most of your websites don't work if that really is the caase. But you could try fixes from there as well: https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550/4

Karakaii commented 3 years ago

Thank you so much for your answer @jeroen. I updated my version of mongolite so I have no idea what I was using before these tests. my colleague is using 2.2.0.

I have updated my windows, and I still have the same issues. However, your solution with the options = ssl_options(weak_cert_validation = T) works great! Thank you for that.

dlaudams commented 3 years ago

Setting weak_cert_validation = T did not reliably fix it for me.

I don't think it is related to weak certificates. The MongoDB server certificate validates running this code:

> packageVersion('openssl')
[1] ‘1.4.3’
> library(openssl)
> cert <- download_ssl_cert("XXX", 1234)
> cert_verify(cert, ca_bundle())
[1] TRUE
> print(cert)
[[1]]
[x509 certificate] *.xxxxx
md5: xxxxx
sha1: xxxxx
[[2]]
[x509 certificate] xxx
md5: xxxxx
sha1: xxxxx
> as.list(cert[[1]])
$subject
[1] "CN=*.xxxxx"
$issuer
[1] "CN=R3,O=Let's Encrypt,C=US"
$algorithm
[1] "sha256WithRSAEncryption"
$signature
 [xxx]
$validity
[1] "xxxxx" "xxxxx"
$self_signed
[1] FALSE
$alt_names
[1] "*.xxx" "*.xxx"                    
[3] "*.xxx"                         
$pubkey
[4096-bit rsa public key]
md5: xxxxxxx
dlaudams commented 3 years ago

What does work for me is adding tls=true to the MongoDB URI.

i.e., mongodb+srv://xxx:yyy@zzzz/?tls=true

I suspect the call to mongoc_uri_get_tls in mongoc-uri.c does not properly recognise that TLS=true is the default when +srv is used:

https://docs.mongodb.com/manual/reference/connection-string/#std-label-connections-connection-options

tls Enables or disables TLS/SSL for the connection:

true: Initiate the connection with TLS/SSL. Default for DNS Seed List Connection Format. false: Initiate the connection without TLS/SSL. Default for Standard Connection String Format.

jeroen commented 2 years ago

Please try again with mongolite 2.4.1 or newer

vane2890 commented 2 years ago

Hello! I have tried everything on this issue, I have the next error in RStudio: Error: No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed calling hello on 'cluster0-shard-00-00.21ysu.mongodb.net:27017'] [TLS handshake failed calling hello on 'cluster0-shard-00-01.21ysu.mongodb.net:27017'] [TLS handshake failed calling hello on 'cluster0-shard-00-02.21ysu.mongodb.net:27017']

I have tried:

But nothing works, any ideas? Thank you!

AhmadMobin commented 2 years ago

@vane2890 Where you able to resolve this? I am also stuck!

image

jestoni-convrtx commented 2 years ago

Following this as I also have the same issue on my local development setup.

JulianUmbhau commented 1 year ago

I seem to have met the same error.

When trying to connect to my mongodb atlas cloud database, using this command:

url <- 'mongodb+srv://<username>:<password>@<clustername>.mongodb.net/<dbname>?tls=true'
mongoconn <- mongolite::mongo(
  collection = 'test',
  db = 'test',
  url = url,
  verbose = T,
  options = mongolite::ssl_options(weak_cert_validation = TRUE))

I receive:

Warning: [ERROR] Failed to initialize security context, error code: 0x80090330: The specified file could not be decrypted.
Warning: [ERROR] Failed to initialize security context, error code: 0x80090330: The specified file could not be decrypted.
Warning: [ERROR] Failed to initialize security context, error code: 0x80090330: The specified file could not be decrypted.
Error: No suitable servers found (`serverSelectionTryOnce` set): [Failed to initialize security context, error code: 0x80090330: The specified file could not be decrypted.
 calling hello on '<clustername>.mongodb.net:27017'] [Failed to initialize security context, error code: 0x80090330: The specified file could not be decrypted.
 calling hello on '<clustername>.mongodb.net:27017'] [Failed to initialize security context, error code: 0x80090330: The specified file could

I am able to connect using pymongo and MongoDB Compass using the same username/password and clustername. I have also followed the advice in this thread as suggested above, but it did not help.

Any other ideas would be appreciated!

jeroen commented 1 year ago

@JulianUmbhau which operating system are you on? Does this work for you?

library(mongolite)
example(mongo)
JulianUmbhau commented 1 year ago

@jeroen I am running Windows10 Home (Version 10.0.19044 Build 19044) I just tested on my work pc, running Windows10 Enterprise (Version 10.0.19043 Build 19043). On that pc it works well, both connecting to mongodb Atlas and with the example(mongo). The R versions are also the same, and mongolite is updated to the most recent from CRAN. So I'm guessing I have to look into reinstalling R.