Unable to connect MongoDB Compass to AWS DocumentDB using SSH tunnel

Asked 29/1, 2021 at 7:36 Answered 11/1, 2022 at 19:8

ssh-tunnel mongodb-compass aws-documentdb

I am new to mongoDB trying to setup tools for my new project. Most of my infrastructure run on AWS so i prefer to use AWS documentDB. I manage to connect to documentDB from EC2 both via mongo client or NodeJS aplication. but it would be good to mange documentDB from my Windows workstation using MongoDB Compass.

As we know, we can not direct connect any mongo client from outside AWS to DocumentDB Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC
so we need SSH tunnel through EC2. I try many options but still fail... below are most likely 2 options:

Option 1: Connect using MongoDB Compass SSH tunnel

Error: unable to get local issuer certificate

both RDS-COMBINED-CA-BUNDLE.PEM and SSH Key already supplied so which one unable to get?

as red highlight on SSH port, I also tried to open another SSHD port on server and tried to connect using second port but still failed.

Option 2: Connect using Putty SSH tunnel

Error: Hostname/IP does not match certificate's altnames...

since MongoDB Compass need to connect to locathost to get into tunnel and i still can not find the way to supply --sslAllowInvalidHostnames options.

So, what i can do to get around this ?

MongoDB Compass: 1.25.0

Temper answered 29/1, 2021 at 7:36 Comment(0)

As of Jan 2022 MongoDB Compass does not support sslInvalidHostNameAllowed=true in the connection builder form, this is the parameter you are missing in order to connect to AWS DocumentDB while ssh tunneling to a machine inside the same VPC of the database itself.

I used Studio 3T and it worked perfectly. You could create the connection string yourself or try other GUI.

Edit Jan 2023: I just gave a try to compass again and it seems they now support sslInvalidHostNameAllowed flag through the UI, you could still change manually the connection string but then any UI interaction would overwrite it.

Yggdrasil answered 11/1, 2022 at 19:8 Comment(0)

I am done with Compass. successful established "robo3t" connection to AWS DocumentDB using this guild.

https://docs.aws.amazon.com/documentdb/latest/developerguide/robo3t.html

Temper answered 29/1, 2021 at 23:28 Comment(0)

If you edit the connection string directly in MongoDB Compass you can set options that may not be accessible in the user interface.

Below is an example with tweaked parameters to connect without using TLS:

mongodb://xxxx:yyyy@localhost:27017/?authSource=admin&connectTimeoutMS=10000&readPreference=primary&authMechanism=SCRAM-SHA-1&serverSelectionTimeoutMS=5000&appname=MongoDB%20Compass&ssl=false

Caddy answered 7/7, 2021 at 13:44 Comment(0)

For Hostname, are you using DocumentDB endpoint? In one screenshot, I see you are using localhost.

I have managed to connect with option 1.

Servomechanism answered 29/1, 2021 at 14:13 Comment(1)

there will be "connection timed out" if supply "DocumentDB" endpoint as a hostname. since in Option2, MongoDB Compass need to connect to localhost:27018 to get into Putty SSH tunnel. I already supply DocumentDB endpoint as a destination in Putty SSH tunnel. – Temper 29/1, 2021 at 18:7

The workaround can be by establish connection using SSH Tunnel (port forward) and so that SSH tunnel opens a port on your local system that connects through to another port at the other end of the tunnel.

Using the below command establishes a tunnel on terminal and later you can use this channel/connection to connect MongoDB using MongoDB Compass.

For example:

ssh user@aws-ec2-ip-address -L 35356:127.0.0.1:27017 -N

where -L as the Local listening side
Port 35356 is listening on localhost (that is in this case your EC2) and port forwards through to port 27017 on remote server.

Note - Add identity file in .ssh/config

Ex - On Mac

Host XXXXXXX
  HostName 52.xx.xx.xx
  User ubuntu
  IdentityFile ./path/prod.pem

Thurgau answered 5/11, 2021 at 3:21 Comment(0)

Recommended topics

Hot tags