can't connect to atlas mongo server

[timotheecour]

hi @mashingan I've been using nimongo but hit a wall when trying to connect to atlas mongo server, for several reasons detailed in https://github.com/SSPkrolik/nimongo/issues/87

I'm hoping anonimongo could help, since it apparently supports more authentication options, but right now it doesn't work:

test program

  import strformat, uri
  import anonimongo
  let uriserver = "mongodb://myuser:mypw@mongoatlas4-shard-00-00.xxx.mongodb.net:27017/admin?ssl=true"
  var mongo = newMongo(parseURI uriserver)
  var coll = mongo["test"]["col1"]
  let currNDoc = waitfor coll.count()
  echo currNDoc
  close mongo

• with uriserver = "mongodb+srv://myuser:mypw@mongoatlas1.xxx.mongodb.net/test" it fails with

  /Users/timothee/.nimble/pkgs/anonimongo-0.2.0/anonimongo/core/types.nim(180) newMongo
  /Users/timothee/.nimble/pkgs/anonimongo-0.2.0/anonimongo/core/types.nim(124) decodeQuery
  /Users/timothee/.choosenim/toolchains/nim-1.2.0/lib/system/fatal.nim(49) sysFatal
  Error: unhandled exception: index 1 not in 0 .. 0 [IndexError]

  (similar to https://github.com/SSPkrolik/nimongo/issues/87)

• using mongodb:// uri on a shard directly as follows:

uriserver = "mongodb://myuser:mypw@mongoatlas4-shard-00-00.xxx.mongodb.net:27017/admin?ssl=true" I can connect using mongo shell using that uri (on which I've removed all query params that were non-essential eg &replicaSet=atlas-yyy-shard-0 to simplify to the maximum), it fails with:

/Users/timothee/.nimble/pkgs/anonimongo-0.2.0/anonimongo/core/types.nim(219) newMongo Error: unhandled exception: option tlsCertificateKeyFile not provided [MongoError]

note that tlsCertificateKeyFile isn't needed when i connect with mongo shell or libmongoc/libmongocxx, so I'm suspecting something is wrong here

• with ?ssl=false it's the same, somehow it ignores false in your code I guess
• without ?ssl=true altogether, it hangs in: let currNDoc = waitfor coll.count()

(and i'm not sure it connected, since atlas mongo requires ssl)

links

• https://forum.nim-lang.org/t/5089

[mashingan]

As for the protocol mongo+srv is mentioned as initial DNS seedlist discovery. I haven't look at it carefully but it may be related to multi urls connection also.

As the usage with SSL, the tlsCertificateKeyFile is needed because the newContext proc needs to be provided the key and cert file name as argument. Since libmongoc/libmongocxx doesn't require it and also the newContext proc default of empty file name, I'll check whether it's okay to omit the key and cert requirement.

Also I forgot to add the guard in case it isn't compiled with -d:ssl option but still using the ssl query in url. Will add it later.

[mashingan]

This is happened when connecting without providing the certificate:

2020-08-09T10:16:25.704+0000 I NETWORK  [listener] connection accepted from 127.0.0.1:61478 #1 (1 connection now open)
2020-08-09T10:16:25.828+0000 E NETWORK  [conn1] no SSL certificate provided by peer; connection rejected
2020-08-09T10:16:25.830+0000 I NETWORK  [listener] connection accepted from 127.0.0.1:61479 #2 (2 connections now open)
2020-08-09T10:16:25.835+0000 I NETWORK  [conn1] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 127.0.0.1:61478 (connection id: 1)
2020-08-09T10:16:25.835+0000 I NETWORK  [conn1] end connection 127.0.0.1:61478 (1 connection now open)
2020-08-09T10:16:25.922+0000 E NETWORK  [conn2] no SSL certificate provided by peer; connection rejected
D2020-08-09T10:16:25.951+0000 I NETWORK  [conn2] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 127.0.0.1:61479 (connection id: 2)
:\C2020-08-09T10:16:25.953+0000 I NETWORK  [conn2] end connection 127.0.0.1:61479 (0 connections now open)

The mongod options provided is: --sslMode requireSSL --sslPEMKeyFile pemfile --sslCAFile cert

This is local Mongo though, haven't tried connecting to Atlas.

---

Ah, I see, it's because I provided the --sslCAFile option that I couldn't connect without providing the key and the cert.

[mashingan]

Could you try with this branch? https://github.com/mashingan/anonimongo/tree/fix-ssl-connections
and this snippet?

import uri
import anonimongo
import nimsha2, sha1

let uriserver = "mongodb://myuser:mypw@mongoatlas4-shard-00-00.xxx.mongodb.net:27017/admin?ssl=true"
var mongo = newMongo(parseURI uriserver, poolconn = 2)

mongo.slaveOk # needed as our mongo is master

if not waitfor mongo.connect:
  quit "Cannot connect"

# change to :SHA1Digest if the error printed "Only SCRAM-SHA-1 Support"
if not waitfor mongo.authenticate[:SHA256Digest]:
  quit "Cannot authenticate"

var coll = mongo["test"]["col1"]
let currNDoc = waitfor coll.count()
echo currNDoc
close mongo

Compile with ssl enabled: (-d:ssl) e.g.: nim c -r -d:ssl file.nim

Also try other operations too, I tried connection, authentication and counting the collection only.
There'd be something I could miss.

[timotheecour]

Could you try with this branch?

seems to work, thanks!! but I need to try more things, will do tmrw

Also try other operations too, I tried connection, authentication and counting the collection only.

still need to try more; also I'm assuming the following don't work yet:

• mongodb+srv
• mongdb with multiple replicas (ie, expanding out mongodb+srv explicitly)
• authMechanism=MONGODB-AWS

[mashingan]

For srv , I'll incorporate @ba0f3 dnsclient

As for multiple replicas, I still don't have idea whether it's managed from the Mongo server itself or managed from the driver. Will look later.

Yes, authMechanism=MONGODB-AWS still doesn't work.

[timotheecour]

As for multiple replicas, I still don't have idea whether it's managed from the Mongo server itself or managed from the driver. Will look later.

=> tracking this here: https://github.com/mashingan/anonimongo/issues/6