Trying to connect the latest metabase version to a MongoDB instance that expects a client-side SSL cert, and cannot get it to work (after trying many possible configurations). I would expect it to be a pretty standard scenario and not sure why it doesn’t work.
Metabase is launched with the following command:
docker run -d -p 8443:8443 -e ‘MB_JETTY_SSL=true’ -e ‘MB_JETTY_SSL_Port=8443’ -e ‘MB_JETTY_SSL_Keystore=/app/client.jks’ -e ‘MB_JETTY_SSL_Keystore_Password=password’ --name metabase metabase/metabase
Logs are as follows:
Metabase logs:
com.mongodb.MongoTimeoutException: Timed out after 3000 ms while waiting to connect. Client view of cluster state is {type=UNKNOWN, servers=[{address=:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}]
Mongo logs:
I NETWORK [thread1] connection accepted from :47294 #30 (25 connections now open)
I - [conn30] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
The SSL cert itself seems ok since I can use it successfully when connecting with a simple Mongo client.
Searching this forum, I see earlier reports on a similar issue that the newest metabase version is supposed to fix, but looks like it’s still not working in my case with this newest version.
Anybody tried this configuration before and seen it working? Happy to try any suggestions anybody may have.
I might be misunderstanding something, since I’m not using MongoDB, but those environment variables you’re using to run Docker, doesn’t have anything to do with the configuration of the database.
Those variables are for enabling https on Jetty (the internal web server).
Do you have ssl=true in your connection string in the database configuration? (Admin > Databases)
Thanks @flamber for the quick reply. Some clarifications for now, but we’ll be running additional testing in parallel:
The metabase version is the latest one on the hub, which I think it 0.32.9. I don’t know if the 0.33 preview has any additional fixes in that area.
ssl=true is on the connection string.
And we are following the suggestion in https://github.com/metabase/metabase/issues/3877 for sure, just doesn’t seem to work for us.
@AlexB
Okay, so you are using a self-signed certificate?
If it’s easier to test with a plain JAR-file, then do that to begin with - then you can always figure out how to make the same configuration for Docker.
We have an internal certificate authority we use for issuing sever-side and client-side certs.
The connection configuration form allows to set the ssl flag and a custom ca, but doesn’t have a way for configuring the client cert, that way.
Trying to setup the certificates via uri doesn’t work either (mongodb://user:pass@my.host:27017/mydb?replicaSet=myrs&authSource=admin&tls=true&tlsCertificateKeyFile=/path/to/client.pem&tlsCAFile=/path/to/ca.crt)
has anyone been successful connecting metabase to mongo with client side certificates?
@danielt Is the custom CA certificate chained - otherwise you need to add the root CA to the certificate.
Have you tried connecting with any other JDBC tool like dbeaver.io ?