SSL issue with the MongoDB connection in the WAS application

henok_micael · 2024-01-20T21:33:08.233Z

I currently have a project in production with legacy driver versions as mentioned below.

    compile group: 'org.mongodb', name: 'mongo-java-driver', version: '3.12.7'
compile group: 'org.mongodb', name: 'mongodb-driver-core', version: '3.12.7'
compile group: 'org.mongodb.morphia', name: 'morphia', version: '1.3.1'

Due to our recent upgrade to MongoDB 7.0 from 4, we need to upgrade the driver versions as well to a version below.

compile group: 'org.mongodb', name: 'mongodb-driver-sync', version: '4.1.0'
	compile group: 'org.mongodb', name: 'mongodb-driver-legacy', version: '4.1.0'
	compile group: 'dev.morphia.morphia', name: 'core', version: '1.6.1'

After upgrading my driver, I am having issues with SSL connection that didn’t occur with the previous version.

com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches com.mongodb.client.internal.MongoClientDelegate$1@4dda0835. Client view of cluster state is {type=REPLICA_SET, servers=[{address=xxx:1024, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}}, {address=xxx:1025, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}}, {address=xxx:1026, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}, caused by {com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target}}]

Using Java version = 1.8.0_271

chris · 2024-01-22T00:11:24.627Z

Hi @henok_micael

TLS trsut change issue, there might me a missing root and/or intermediate certificate.

A java update to a more recent release (or version) may resolve this,

If a custom/internal certificate authority is in use try adding root and intermediates to the trust store.
https://www.mongodb.com/docs/drivers/java/sync/current/fundamentals/connection/tls/#enable-tls-ssl

henok_micael · 2024-01-22T02:24:19.291Z

Thanks for the response @chris.

Currently, upgrading Java is not feasible as it will require a significant amount of effort. However, I am confused about something. I have a certificate that I am already using for the previous version (3.12.7), and I can see in my logs that TLSV1.2 protocol is being used for the handshake. Can you help me understand what I might be missing here?