Uploaded image for project: 'Percona Toolkit'
  1. Percona Toolkit
  2. PT-1891

pt-mongodb-summary fails for SSL enabled mongodb instances

Details

    • Bug
    • Status: Done
    • High
    • Resolution: Fixed
    • 3.1.0, 3.2.1
    • 3.3.0
    • None

    Description

      Clone of https://jira.percona.com/browse/PT-1822

      Issue:  unable to use pt-mongodb-summary for  SSL enabled MongoDB instances

      The issue still exists for MongoDB configured to use SSL. 

      Looks like pt-mongodb-summary can't connect to SSL enabled mongodb .

       

      Test:

      # ./pt-mongodb-summary --version
      pt-mongodb-summary
      Version v3.2.1
      Build: 2020-08-12T21:06:41+0000 using go1.14.4
      Commit: 750d2ef9d9fbc6363eb7528e6be61e2bfda7ac79
      

      MongoDB with SSL configuration.

      mongodb.cnf
      
      # network interfaces
      net:
        port: 27017
        bindIp: 127.0.0.1
        ssl:
          mode: requireSSL
          PEMKeyFile: /etc/mongodb/mongodb.pem
          CAFile: /etc/mongodb/rootCA.pem
      

      case1:

      SSL connection to mongodb via mongo client works fine.
      # mongo --host=localhost --ssl --sslCAFile /etc/mongodb/rootCA.pem --sslPEMKeyFile /etc/mongodb/mongodb.pem  -u mroot -p mroot123 --authenticationDatabase admin 
      
      
      # ./pt-mongodb-summary "localhost:27017" --authenticationDatabase admin --ssl --sslCAFile /etc/mongodb/rootCA.pem --sslPEMKeyFile /etc/mongodb/mongodb.pem  --username mroot --password mroot123  > pt-mongodb-summary.out;
      unknown option: --ssl
      
      using option mentioned in ./pt-mongodb-summary --help
      
          --sslCAFile=value
                      SSL CA cert file used for authentication
           --sslPEMKeyFile=value
                      SSL client PEM file used for authentication
      
      # ./pt-mongodb-summary "localhost:27017" --authenticationDatabase admin --sslCAFile /etc/mongodb/rootCA.pem --sslPEMKeyFile /etc/mongodb/mongodb.pem  --username mroot --password mroot123  > pt-mongodb-summary_ssl.out
      Password: 
      ERRO[0100] Cannot get host info for "mongodb://localhost:27017": GetHostInfo.hostInfo: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : connection(localhost:27017[-181]) incomplete read of message header: EOF }, ] } 
      

      case 2:

      # mongo "localhost:27017" --authenticationDatabase admin --ssl --username mroot --password mroot123
      2020-09-21T18:30:44.392+0530 W  CONTROL  [main] Option: ssl is deprecated. Please use tls instead.
      MongoDB shell version v4.2.8
      connecting to: mongodb://localhost:27017/test?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
      
      # ./pt-mongodb-summary "localhost:27017" --authenticationDatabase admin --username mroot --password mroot123 --ssl  > pt-mongodb-summary.out
      Password: 
      ERRO[0095] Cannot get host info for "mongodb://localhost:27017": GetHostInfo.hostInfo: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : connection(localhost:27017[-181]) incomplete read of message header: EOF }, ] } 
      
      
      mongodb logs:
      2020-09-21T18:45:14.975+0530 I  NETWORK  [conn720] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:34312 (connection id: 720)
      2020-09-21T18:45:14.975+0530 I  NETWORK  [conn720] end connection 127.0.0.1:34312 (1 connection now open)
      2020-09-21T18:45:15.477+0530 I  NETWORK  [listener] connection accepted from 127.0.0.1:34316 #721 (2 connections now open)
      2020-09-21T18:45:15.478+0530 I  NETWORK  [conn721] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:34316 (connection id: 721)
      2020-09-21T18:45:15.478+0530 I  NETWORK  [conn721] end connection 127.0.0.1:34316 (1 connection now open)
      

      case3:

      # ./pt-mongodb-summary "localhost:27017" --authenticationDatabase admin --username mroot --password mroot123  > pt-mongodb-summary.out
      Password: 
      
      ERRO[0096] Cannot get host info for "mongodb://localhost:27017": GetHostInfo.hostInfo: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : connection(localhost:27017[-181]) incomplete read of message header: EOF }, ] } 
      
      
      mongodb error log:
      2020-09-21T18:40:41.491+0530 I  NETWORK  [conn338] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:60646 (connection id: 338)
      2020-09-21T18:40:41.492+0530 I  NETWORK  [conn338] end connection 127.0.0.1:60646 (1 connection now open)
      2020-09-21T18:40:41.991+0530 I  NETWORK  [listener] connection accepted from 127.0.0.1:60650 #339 (2 connections now open)
      2020-09-21T18:40:41.992+0530 I  NETWORK  [conn339] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:60650 (connection id: 339)
      2020-09-21T18:40:41.992+0530 I  NETWORK  [conn339] end connection 127.0.0.1:60650 (1 connection now open)
      

       

      Disabling SSL in mongodb.conf // working fine

      # ./pt-mongodb-summary "localhost:27017" --authenticationDatabase admin --username mroot --password mroot123 > pt-mongodb-summary.out
      Password: ERRO[0008] Cannot get hostnames: sharding not enabled   
      WARN[0008] [Error] cannot get replicaset members: sharding not enabled
      
      
      # cat pt-mongodb-summary.out 
      
      
      # Instances ##############################################################################################
        PID    Host                         Type                      ReplSet                   Engine									  
                                                no replica sets found
      
      # This host
      # Mongo Executable #######################################################################################
             Path to executable | /usr/bin/mongod
      # Report On lalit-ThinkPad-T480 ########################################
                           User | mongodb
                      PID Owner | mongod
                       Hostname | lalit-ThinkPad-T480
                        Version | 4.2.8
                       Built On | Linux x86_64
                        Started | 2020-09-21 18:53:39 +0530 IST
                        Datadir | /var/lib/mongodb
                      Processes | 1
                   Process Type | mongod
      
      # Running Ops ############################################################################################
      Type         Min        Max        Avg
      Insert           0          0          0/5s
      Query            0          0          0/5s
      Update           0          0          0/5s
      Delete           0          0          0/5s
      GetMore          0          0          0/5s
      Command          1          1          5/5s
      
      # Security ###############################################################################################
      Users  : 2
      Roles  : 0
      Auth   : enabled
      SSL    : disabled
      Port   : 27017
      Bind IP: 127.0.0.1
        
      

       

      Attachments

        Issue Links

          Activity

            People

              carlos.salguero Carlos Salguero (Inactive)
              lalit.choudhary Lalit Choudhary
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 2 hours, 10 minutes
                  2h 10m

                  Smart Checklist