Mongo 4.4 Certificate Verification Failure

Hi there.

I’m running on my server, the “apt-get update” command and I get the following error:

Err:7 MongoDB Repositories bionic/mongodb-org/4.4 Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 165.225.80.34 80]

The server has Ubuntu 18.04 on it. But no matter what I try, I cannot get past this error. I’ve pinged the IP address to make sure that my server can see the server, which it can.

The content of the list file in question is as follows:

root@EU001:/etc/apt/sources.list.d# more mongodb-org-4.4.list
deb [ arch=amd64,arm64 ] MongoDB Repositories bionic/mongodb-org/4.4 multiverse

If I download the server-4.4.asc and import it, makes no difference to the error I’m seeing.

Running “mongo --version” produces:

MongoDB shell version v4.4.22
Build Info: {
    "version": "4.4.22",
    "gitVersion": "fc832685b99221cffb1f5bb5a4ff5ad3e1c416b2",
    "openSSLVersion": "OpenSSL 1.1.1  11 Sep 2018",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "ubuntu1804",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

Any help would be greatly appreciated.

Regards
James

Try updating the system’s ca-certificates package.

Hi Chris.

I did try that, using the command as follows:

root@EU002:/home/james# sudo apt install ca-certificates                
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20230311ubuntu0.18.04.1).
0 upgraded, 0 newly installed, 0 to remove and 19 not upgraded.

As well as running:

root@EU002:/home/james# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

But to no avail.

Seems a little odd to me.

Any proxies, transparent or otherwise in the mix ?

The IP address returned also differs in that a reverse lookup does not give an Amazon Cloudfront address.

 dig -x 165.225.80.34

; <<>> DiG 9.16.1-Ubuntu <<>> -x 165.225.80.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13204
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;34.80.225.165.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
80.225.165.in-addr.arpa. 180	IN	SOA	ns10.dnsmadeeasy.com. dns.dnsmadeeasy.com. 2009010102 43200 3600 1209600 180

;; Query time: 63 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Dec 07 20:34:50 EST 2023
;; MSG SIZE  rcvd: 115

While the IP’s may differ from where I am in Canada I’d expect this to still be cloudfront addresses.

 dig  repo.mongodb.org

;; ANSWER SECTION:
repo.mongodb.org.	15	IN	CNAME	org.repo.release.build.10gen.cc.
org.repo.release.build.10gen.cc. 60 IN	A	18.67.17.79
org.repo.release.build.10gen.cc. 60 IN	A	18.67.17.21
org.repo.release.build.10gen.cc. 60 IN	A	18.67.17.32
org.repo.release.build.10gen.cc. 60 IN	A	18.67.17.30

for i in 18.67.17.{21,30,32,79}; do dig +short -x ${i}; done

server-18-67-17-21.yto50.r.cloudfront.net.
server-18-67-17-30.yto50.r.cloudfront.net.
server-18-67-17-32.yto50.r.cloudfront.net.
server-18-67-17-79.yto50.r.cloudfront.net.