TLS configuration problem with tlsCertificateKeyFile

Lukasz_Czajkowski · 2024-10-21T13:22:55.420Z

Hi

I have issue with tls configuration. I configured tls according documentation (tls, mode, certificateKeyFile and CAFile). I have two files - key.pem where is private key and certificate, second file ca.pem has rootca certificate. Mongodb working and so on. Whereas I have problem with connection to server though mongosh. I’m passing parameter --tls, --tlsCertificateKeyFile and --tlsCAFile during connection.
If I’m providing tlsCertificateKeyFile with certificate only, error is appearing - MongoServerSelectionError: error:1E08010C:DECODER routines::unsupported
If I’m providing private key only - error is appearing: MongoServerSelectionError: error:0480006C:PEM routines::no start line

If I’m useing --tlsCertificateKeyFile where is private key and certificate, mongosh is able to connect to server. Therefore this solution for me is strange because in connection I have to pass cert and private key. I am used to passing only certificate chain without private key. Private key is reserved for server only in this case.

Does someone expose this case me? Or maybe I doing wrong something?

chris · 2024-10-21T22:37:00.467Z

Hi @Lukasz_Czajkowski

To connect to a tls enabled cluster without being required to provide a client certificate use the net.tls.allowConnectionsWithoutCertificates option.

ref:
https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-net.tls.allowConnectionsWithoutCertificates

Lukasz_Czajkowski · 2024-10-22T11:42:01.009Z

First of all, I thanks for your reply.

I saw this parameter such is allowConnectionsWithoutCertificates but I saw too that it is bypass only.

I understand that there isn’t another way to passing public certification only, without private key?

If everythings is true what I’m writing that We have to more treat tls as encryption than authorization

chris · 2024-10-22T13:35:27.782Z

I would not classify it as a bypass.

This is the most common scenario of tls. The client connects without presenting a certificate.

The client still has verify and trust the server certificate.