Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connect MongoDB with SSL and self-signed certificate #3877

Open
gsuess opened this issue Dec 6, 2016 · 20 comments

Comments

Projects
None yet
10 participants
@gsuess
Copy link

commented Dec 6, 2016

Still cannot use metabase with mongodb hosted on compose.io.

Reason:

Compose.IO uses self-signed SSL certificates for each deployment.

Therefore need a way to supply a custom pem file for this.

Without it I get this error:

12-06 17:50:48 ERROR metabase.driver :: Failed to connect to database: com.mongodb.MongoTimeoutException: Timed out after 3000 ms while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=UNKNOWN, servers=[{address=aws-eu-west-1-portal.X.dblayer.com:XXXXX, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}] 
@gsuess

This comment has been minimized.

Copy link
Author

commented Dec 6, 2016

Not at all familiar with clojure (or LISP), but here is what I can share...

https://www.compose.com/articles/connecting-to-the-new-mongodb-at-compose/#whatsthatsslallowinvalidcertificates

So to add support for it, an option on the UI where users can paste the public key is required, which would be basically just another connection option.

@j005u

This comment has been minimized.

Copy link

commented Dec 9, 2016

This worked for me.

Save your certificate to disk and convert it to a jks trust store with the Java keytool like so:
keytool -import -alias cacert -storepass changeit -keystore cacerts.jks -file compose-cert.pem

Then run metabase with:
java -Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit -jar metabase.jar

You should be able to add more than one certificate with the same command, just give them different aliases. You might run into some trouble while trying to connect to anything with SSL not in the custom trust store like this, not entirely sure.

Only figured this out because I was running into similar problems with another Java based BI tool.

@camsaul

This comment has been minimized.

Copy link
Member

commented Dec 9, 2016

@j005u thanks for the tip. @gsuess can you try and see if that works for you?

If so I'll add this to the documentation so others can find it as well 😻

@gsuess

This comment has been minimized.

Copy link
Author

commented Dec 11, 2016

Well I guess I would have to fork the heroku build for that... Not an easy undertaking, but will look into it.

@j005u

This comment has been minimized.

Copy link

commented Dec 14, 2016

So I can confirm that the above method will break connecting to other SSL services as they're no longer in the trust store. For example Slack integration will no longer work.

This will work however:

cp /usr/lib/jvm/default-jvm/jre/lib/security/cacerts ./cacerts.jks
keytool -import -alias cacert -storepass changeit -keystore cacerts.jks -file compose-cert.pem

java -Djavax.net.ssl.trustStore=cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit -jar metabase.jar

Also, for Docker, one can use _JAVA_OPTIONS instead of JAVA_OPTIONS to pass the extra arguments as the latter is overwritten by /app/run_metabase.sh.

From my days with digital signatures and Android, I'm pretty sure a proper solution would be to programmatically add another trust store in addition to the global one. That way you should also be able to support common cert formats instead of needing to convert everything to .jks.

@gsuess

This comment has been minimized.

Copy link
Author

commented Dec 20, 2016

Yea that works. Thank you @j005u.

For heroku I had to commit the keystore a metabase-deploy fork and modify /bin/start accordingly, which is not ideal.

@camsaul

This comment has been minimized.

Copy link
Member

commented May 4, 2017

@j005u, do you think you could submit a PR to support programmatically adding another trust store? If you have a sense of what needs to be done and some basic familiarity with Clojure, we'd love to have you as a contributor and would welcome a PR to support this 👍

@j005u

This comment has been minimized.

Copy link

commented May 4, 2017

Sorry, I'm not familiar with Clojure at all.

http://stackoverflow.com/a/24561444

I believe that answer encapsulates pretty much everything you need to do in Java to get this to work smoothly, unless you're willing to specify trust stores per connection.

http://stackoverflow.com/a/21777005

And instead of loading from a .jks file you can just create it programatically from the .pem. Translating this to Clojure (same vm and libs, no?) will have to be an exercise for someone else.

Good luck.

@camsaul camsaul added the Help Wanted label May 4, 2017

@camsaul

This comment has been minimized.

Copy link
Member

commented May 4, 2017

Looks like Mongo has documentation for configuring the trust store at http://mongodb.github.io/mongo-java-driver/3.0/driver/reference/connecting/ssl/

@jsmestad

This comment has been minimized.

Copy link

commented Feb 6, 2018

Would love to get a way to upload a self-signed cert in the UI :(

@madhums

This comment has been minimized.

Copy link

commented May 15, 2018

Has anyone gotten this to work?

@phthano

This comment has been minimized.

Copy link

commented May 24, 2018

This is a pain again for me. Please update metabase to be more usable through the UI using self-signed certs.

@Kalli

This comment has been minimized.

Copy link

commented Aug 8, 2018

I'm having some issues with a Compose hosted MongoDB as well. I've followed the instructions above, I believe that the trust store should have the certificate (following j005u recommendations from above and the ssl certificate that Compose provides). Is there a way to confirm that this is working?

  • Running Metabase 0.29.3 via Docker (kubernetes).
  • Using MongoDB 3.2.11

This is the error that I get when trying to add the Mongo db:

com.mongodb.MongoTimeoutException: Timed out after 3000 ms while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=UNKNOWN, servers=[{address=***, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}]

I'm seeing reports of similar errors in #6678 but the solutions mentioned there do not help. Any help appreciated, thanks!

@tjramage

This comment has been minimized.

Copy link

commented Nov 12, 2018

@Kalli — I had the exact same issues as you with my Compose hosted MongoDB (3.6.8) setup. However, @BoLaMN's custom Docker image fixed everything for me, as outlined in #6678. Have you tried that?

@Kalli

This comment has been minimized.

Copy link

commented Nov 19, 2018

Thanks for the info @tjramage, had not tried that image, I will investigate

@tjramage

This comment has been minimized.

Copy link

commented Nov 24, 2018

@Kalli — let me know if it works. Would be great to get @BoLaMN's changes into the next official Metabase release.

@0xicl33n

This comment has been minimized.

Copy link

commented Dec 12, 2018

I am having a similar problem with my scalegrid cluster and self signed cert

why?

12-12 21:53:57 WARN driver.uri :: Unsupported option 'ssl_ca_certs' in the connection string 'mongodb://localhost/?readPreference=nearest&replicaSet=RS-spykedbShared-0&ssl=true&ssl_ca_certs=db.key'. 12-12 21:54:00 ERROR metabase.driver :: Failed to connect to database: com.mongodb.MongoTimeoutException: Timed out after 3000 ms while waiting for a server that matches com.mongodb.client.internal.MongoClientDelegate$1@cec3473. Client view of cluster state is {type=REPLICA_SET, servers=[{address=sg-spykedbshared-13536.servers.mongodirector.com:45801, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]

Except, i didnt put in localhost, i put in the actual hostname but metabase doesnt read that either?

I thought this would be fixed by #6678 (comment) because v0.31.2 is supposed to fix this (it doesnt)

Running from a a jar file. db.key is in the same folder as metabase.jar

@Kalli

This comment has been minimized.

Copy link

commented Dec 19, 2018

@tjramage apologies for the late reply, we ended up not needing to try it out, we were able to connect now that compose is using letsencrypt certs https://www.compose.com/articles/mongodb-and-lets-encrypt-certificates-noteworthy-at-compose/

@soerenmartius

This comment has been minimized.

Copy link

commented Apr 5, 2019

did anyone find a workaround for Unsupported option 'ssl_ca_certs' in the connection strin yet?

@0xicl33n

This comment has been minimized.

Copy link

commented Apr 11, 2019

Is there really no fix to this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.