Unclear error when PSMDB can't access client/CA certificates for KMIP auth
General
Escalation
General
Escalation
Description
Hi,
When there aren’t enough permissions to access client/CA certificates for KMIP auth, PSMDB returns unclear error which doesn’t indicate that there are any permission issues.
============
$ ls -lah /etc/mongodb
drwxr-xr-x. 2 root root 38 Mar 4 15:21 .
drwxr-xr-x. 86 root root 8.0K Mar 4 15:21 ..
-r--------. 1 root root 1.2K Mar 4 15:21 ca.crt
-r--------. 1 root root 6.1K Mar 4 15:21 mongod.pem
============
$ sudo -u mongod mongod --enableEncryption --kmipServerName 127.0.0.1 --kmipClientCertificateFile /etc/mongodb/mongod.pem --kmipServerCAFile /etc/mongodb/ca.crt
....
{"t":{"$date":"2025-03-04T16:07:00.466+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"security":{"enableEncryption":true,"kmip":{"clientCertificateFile":"/etc/mongodb/mongod.pem","serverCAFile":"/etc/mongodb/ca.crt","serverName":"127.0.0.1"}}}}}
{"t":{"$date":"2025-03-04T16:07:00.481+00:00"},"s":"F", "c":"STORAGE", "id":29120, "ctx":"initandlisten","msg":"Data-at-Rest Encryption Error","attr":{"error":{"what":"Can't create encryption key database","reason":{"what":"key saving failed","reason":"saving the master key to the KMIP server failed: load_verify_file: asio.ssl error"},"encryptionKeyDatabaseDirectory":"/data/db/key.db"}}}
============
$ sudo chown mongod:mongod -R /etc/mongodb
============
$ ls -lah /etc/mongodb
drwxr-xr-x. 2 mongod mongod 38 Mar 4 15:21 .
drwxr-xr-x. 86 root root 8.0K Mar 4 15:21 ..
-r--------. 1 mongod mongod 1.2K Mar 4 15:21 ca.crt
-r--------. 1 mongod mongod 6.1K Mar 4 15:21 mongod.pem
============
$ sudo -u mongod mongod --enableEncryption --kmipServerName 127.0.0.1 --kmipClientCertificateFile /etc/mongodb/mongod.pem --kmipServerCAFile /etc/mongodb/ca.crt
....
{"t":{"$date":"2025-03-04T16:07:57.733+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"security":{"enableEncryption":true,"kmip":{"clientCertificateFile":"/etc/mongodb/mongod.pem","serverCAFile":"/etc/mongodb/ca.crt","serverName":"127.0.0.1"}}}}}
{"t":{"$date":"2025-03-04T16:07:57.806+00:00"},"s":"I", "c":"STORAGE", "id":29116, "ctx":"initandlisten","msg":"Master encryption key has been created on the key management facility","attr":{"keyManagementFacilityType":"KMIP server","keyIdentifier":{"kmipKeyIdentifier":"1"}}}
============
Please change PSMDB behavior so the error is clear for end user.
I’ve backported the fix to the branches v7.0 and v6.0.
Konstantin Trushin
March 27, 2025 at 12:03 PM
I’ve implemented the fix. After review, I’ve merged into the master and v8.0 branches. Prior to merging into v7.0, I need to compile it locally on Ubuntu 22.04 (v7.0 doesn’t support 24.04) but I don’t have a development environment based on this Ubuntu version at the moment. I plan to create the environment tomorrow and continue with backporting the fix to v7.0.
Konstantin Trushin
March 11, 2025 at 1:23 PM
The error message is indeed unclear. The issue needs an investigation on whether we can extract a more specific error from the network library (asio).
Hi,
When there aren’t enough permissions to access client/CA certificates for KMIP auth, PSMDB returns unclear error which doesn’t indicate that there are any permission issues.
============ $ ls -lah /etc/mongodb drwxr-xr-x. 2 root root 38 Mar 4 15:21 . drwxr-xr-x. 86 root root 8.0K Mar 4 15:21 .. -r--------. 1 root root 1.2K Mar 4 15:21 ca.crt -r--------. 1 root root 6.1K Mar 4 15:21 mongod.pem ============ $ sudo -u mongod mongod --enableEncryption --kmipServerName 127.0.0.1 --kmipClientCertificateFile /etc/mongodb/mongod.pem --kmipServerCAFile /etc/mongodb/ca.crt .... {"t":{"$date":"2025-03-04T16:07:00.466+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"security":{"enableEncryption":true,"kmip":{"clientCertificateFile":"/etc/mongodb/mongod.pem","serverCAFile":"/etc/mongodb/ca.crt","serverName":"127.0.0.1"}}}}} {"t":{"$date":"2025-03-04T16:07:00.481+00:00"},"s":"F", "c":"STORAGE", "id":29120, "ctx":"initandlisten","msg":"Data-at-Rest Encryption Error","attr":{"error":{"what":"Can't create encryption key database","reason":{"what":"key saving failed","reason":"saving the master key to the KMIP server failed: load_verify_file: asio.ssl error"},"encryptionKeyDatabaseDirectory":"/data/db/key.db"}}} ============ $ sudo chown mongod:mongod -R /etc/mongodb ============ $ ls -lah /etc/mongodb drwxr-xr-x. 2 mongod mongod 38 Mar 4 15:21 . drwxr-xr-x. 86 root root 8.0K Mar 4 15:21 .. -r--------. 1 mongod mongod 1.2K Mar 4 15:21 ca.crt -r--------. 1 mongod mongod 6.1K Mar 4 15:21 mongod.pem ============ $ sudo -u mongod mongod --enableEncryption --kmipServerName 127.0.0.1 --kmipClientCertificateFile /etc/mongodb/mongod.pem --kmipServerCAFile /etc/mongodb/ca.crt .... {"t":{"$date":"2025-03-04T16:07:57.733+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"security":{"enableEncryption":true,"kmip":{"clientCertificateFile":"/etc/mongodb/mongod.pem","serverCAFile":"/etc/mongodb/ca.crt","serverName":"127.0.0.1"}}}}} {"t":{"$date":"2025-03-04T16:07:57.806+00:00"},"s":"I", "c":"STORAGE", "id":29116, "ctx":"initandlisten","msg":"Master encryption key has been created on the key management facility","attr":{"keyManagementFacilityType":"KMIP server","keyIdentifier":{"kmipKeyIdentifier":"1"}}} ============
Please change PSMDB behavior so the error is clear for end user.