MongoDB SSL Connection Broken after 31.2

Hello,
I have noticed that I am not able to add a mongoDB database with ssl connection in version 0.35.4 and get it working. I tried many different versions of metabase and found that the some config actually works in version 0.31.2. It seems like enabling ssl broke, as my mongodb instance says that all the connections are not using ssl. Does anyone have a solution, such as messing with the included mongodb client (I prefer not). I used only my ca.pem from mongodb to import into my java keystore cacerts, per other suggestions (I need both trust and key specified to get it to work).

Here is my java version:
openjdk jre 1.8.238
Here is my java options:
java -Djavax.net.ssl.trustStore=/opt/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=/opt/cacerts.jks -Djavax.net.ssl.keyStorePassword=changeit -jar /opt/metabase.jar
Working config:

Hi @shane.emery
Version 0.36.0 will have an option to input custom certificates.
I haven’t seen anyone using keyStore in the parameters - trustStore should be enough.
Are you doing a keytool -import ... ? See the comments here for various workarounds:
https://github.com/metabase/metabase/issues/3877

I used this command syntax to import my Mongdb CA file into a copy of my openjdk cacerts from /etc/pki/java/cacerts:

cp /etc/pki/java/cacerts /opt/
mv /opt/cacerts /opt/cacerts.jks
keytool -import -noprompt -trustcacerts -alias mongodb_dev_ca -file /opt/github/mongodb-dev-ca.pem -keystore /opt/cacerts -storepass changeit

@shane.emery You’re moving the cert and then pointing keytool to the old location, not sure I understand the reason for that.

that was a typo.
My mongodb dev instance is configured with CA file: /opt/github/mongodb-dev-ca.pem

This is the keytool command:
keytool -import -noprompt -trustcacerts -alias mongodb_dev_ca -file /opt/github/mongodb-dev-ca.pem -keystore /opt/cacerts.jks -storepass changeit

I am primarily confused why this same config or something similar does not work with the new versions, such as 0.35.4. The connection string option “ssl=true” doesn’t seem to enable an ssl connection negation with the mongodb.

@shane.emery I don’t know - a lot has changed since 0.31.2. But I remember some problems for some connections upon upgrading, where metabase_database.details would have "ssl":false set even though it used to be true - or vice versa. So check you application database.
If I remember correctly, with MongoDB you cannot define ssl=true in the connection string - it’s a an option that needs to be defined on the connection.

Hello,
Thanks for the tip. Keep in mind I am not specifying this as an application DB for metabase to use. How would I specify ssl in the connection, if not in the connection string option on the “add database” page? Does this get defined in the mongodb client plugin?

@shane.emery You can only use H2, Postgres and MariaDB/MySQL as application databases. But your datasources are stored in the application database table metabase_database.

I looked at my problem is very similar to this one, execpt the reverse:

I'm using the simple jar with the default h2 backend database configured. I am having a trouble finding document on connecting to this backend to possibly edit the table metabase_database. Any ideas?

@shane.emery Migrate away from H2:
https://www.metabase.com/docs/latest/operations-guide/migrating-from-h2.html

I migrated to using a local mysql v8 instance and see that the related ssl values saved in the metabase_database table row for my mongodb connection includes this:
additional-options":“ssl=true”,“ssl”:true,

I have also noticed i can upgrade to 35.4 locally, and it saves the connection, which works fine. I still cannot fathom how to get a fresh now mongodb connection saved onto an existing metabase instance running 35.4 in our dev environment. Guess I will have to wait for 36.0?

@shane.emery It should be doing the same for new connections on your local 0.35.4 and production 0.35.4. Not sure why you’re seeing different behavior with the same version for creating the same new connection on different instances.
https://github.com/metabase/metabase/blob/release-0.35.x/modules/drivers/mongo/src/metabase/driver/mongo/util.clj#L58-L71

I take that back. in the latest version 35.4 it behaves the same in both environments. It looks like in the “add database” section, when i go to save/test the connection it fails and because it doesn’t establish an ssl connection. Once it’s past this and saved into the application db, it then seems to establish an ssl connection properly.
I wonder if these are 2 different functions in the metabase code?

@shane.emery It shouldn’t save unless the validation works, so not sure how you’re getting past that point.
https://github.com/metabase/metabase/blob/release-0.35.x/src/metabase/api/database.clj#L481-L489

I’m getting past the validation point in version 31.2 and saving it the application db. then I upgrade to version 35.4 and see that exporing data still works. Yes, if I go to view my database connections and look at the mongodb, the validation fails in version 34.5 ultimately.

@shane.emery Okay, then the problem of getting past the validation is fixed, since it only occurs on 0.31.2
You have three options. Stay with 0.31.2, or wait for 0.36.0, or manually change the metadata.