Login/Register
Unable to connect to AWS Documentdb using MongoDB Compass. No option to pass sslInvalidHostName
Asked Answered
Solved amazon-web-servicesamazon-ec2mongodb-compassaws-documentdb-mongoapi
S

2

19

AWS DocumentDB is a relatively new service we're trying to migrate to. To connect from outside of the VPC, you have to create a tunnel to an existing instance.

For example: 

ssh -i "ec2Access.pem" -L 27017:sample-cluster.cluster-cu52jq5kfddg.us-east-1.docdb.amazonaws.com:27017 [email protected] -N

And then you can connect from mongo shell with: 

mongo --sslAllowInvalidHostnames --ssl --sslCAFile rds-combined-ca-bundle.pem --username <yourUsername> --password <yourPassword>

You can see this info at: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html

I'm actually able to get a shell into document db following the above instructions but I can not connect to it using MongoDB compass. We need to be able to do this for our non-developer team.

Sausage answered 12/2, 2019 at 2:42 Comment(5)
What SSL options are you using for Compass? You might be able to connect by selecting the SSL "Unvalidated (insecure)" connection option. NOTE: DocumentDB emulates the MongoDB API but currently does not support all of the commands that are expected to be available for the 3.6 server version reported. This may lead to some unexpected errors with Compass or other clients expecting a MongoDB server (particularly with aggregation features).Oceanid
@Oceanid Using following settings after creating the tunnel. Hostname: localhost Port: 27017 Auth with user/pw SSL - Unvalidated Tunnel: Use identity file SSH Hostname: IP of ec2 instance SSH Port: 27017 (tried 22 as well) Username: ubuntu Identity file: rds-combined-ca-bundle.pemSausage
I did the above after creating the tunnel. Also tried a few variations, tried without opening the tunnel and using server validation but nothing works. I think you might be right in that DocumentDB probably doesn't support this yetSausage
I just used a work around by running mongodb-compass on the Ubuntu EC2 instance and launching it with XQuartz. xquartz.org This is basically xwindows for mac. Once mongodb-compass is installed on your ec2 instance and xquartz installed on your machine, you can run ssh -X ubuntu@ec2-instance mongodb-compassSausage
#65950933Deport
R
26

I have done this using only MongoDB Compass (Community, v. 1.16.4), without creation of a tunnel via external tools.

Firstly, download AWS's certificate from: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem. I have got this link from: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Also make sure that you have an access to your DocDB cluster from the EC2 instance. To do it look into security groups settings specified for your DocDB cluster. Given that you are able to get the access using mongo shell, you should have it.

Then on the connection screen in MongoDB Compass specify the following (your credentials used as an example):

  • Hostname: sample-cluster.cluster-cu52jq5kfddg.us-east-1.docdb.amazonaws.com
  • Port: 27017
  • Authentication: Username/Password
  • Username: YourDocDBUsername
  • Password: YourDocDBUserPassword
  • SSL: Server validation
  • Certificate Authority: (select downloaded rds-combined-ca-bundle.pem)
  • SSH Tunnel: Use identity file
  • SSH Hostname: ec2-34-229-221-164.compute-1.amazonaws.com
  • SSH Tunnel Port: 22
  • SSH Username: ubuntu
  • SSH Identity File: ec2Access.pem
Residency answered 25/2, 2019 at 10:5 Comment(11)
What do you mean by add "rds-combined-ca-bundle.pem" as your system Certificate Authority?Sausage
@BhavikShah I have updated the instructions related to CA. Now you just need to download it and select during configuration of connection.Residency
Answer of the year right here! Thank you. For clarification SSH Hostname is an EC2 instance that is in the same region as the cluster.Polyphyletic
@nikkwong that's a good point to mention. To be more precise, the instance should be in the same VPC as the DocDB instance.Residency
Hi @OutOfNPE. I have followed all your instructions but somehow I still cannot connect using mongo compass. The error I'm getting is Error creating SSH Tunnel: Timed out while waiting for forwardOutMongolia
Hi, @PaulRyanLucero. Can you connect to your DocDB cluster from EC2 instance, for example, using mongo shell? Here you can find some guidance docs.aws.amazon.com/documentdb/latest/developerguide/… If not, then I would say most probably the problem is with your DocDB security group settingsResidency
I'm using my id_rsa but I'm seeing "unable to get local issuer certificate"Nerynesbit
I ended up having a connection issue as well as @PaulRyanLucero mentioned. I found that using Robo 3T (a different GUI) worked for me. Follow these instructions and you should be able to connect to the instance via an SSH tunnel from your connected EC2 instance (make sure you have your security group for document db updated to include your EC2 instance). One thing to note is that if you are using a mac.. maybe even another os you may want to change the permission on the pem files to 400. Source: docs.aws.amazon.com/documentdb/latest/developerguide/…Goosy
Check the following question. #65950933 . I could not use DB Compass for it, ended up using something differentDeport
I'm still getting this error "All configured authentication methods failed"Ecosphere
You are the championTisbe
M
7

I similarly was able to connect to my tunneled DocumentDB instance via mongosh but not with MongoDB Compass. I noticed that mongosh outputs the connection string so I copied that in Compass and it worked.

mongodb://<credentials>@localhost:27017/?directConnection=true&tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=<path_to_pem>

It looks like the part that I was missing was

directConnection=true

Multiply answered 15/7, 2022 at 19:21 Comment(1)
Enabling directConnection did the trick (in addition to official AWS docs, plus other answers). Thanks!Wayne

© 2022 - 2024 — McMap. All rights reserved.