How to deploy Self-hosted Squidex with external db and certificate?

Jnqa · October 16, 2023, 11:13am

Hello,

I’m trying to connect to an external database for my self-hosted Squidex project, which requires the use of a certificate. I have configured the environment variables as follows:

- name: EVENTSTORE__MONGODB__CONFIGURATION 
  value: “mongodb://test:password@rc1c-external-cloud.net:27018?tls=true&tlsCAFile=/certs/mongodb/root.crt” 
- name: STORE__MONGODB__CONFIGURATION 
  value: “mongodb://test:password@rc1c-external-cloud.net:27018?tls=true&tlsCAFile=/certs/mongodb/root.crt”

However, this is not working and I am getting the following error:

Unhandled exception. System.TimeoutException: A timeout occurred after 30000ms selecting a server using CompositeServerSelector{ Selectors = ReadPreferenceServerSelector{ ReadPreference = { Mode : Primary } }, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 }, OperationsCountServerSelector }. Client view of cluster state is { ClusterId : "1", Type : "Unknown", State : "Disconnected", Servers : [{ ServerId: "{ ClusterId : 1, EndPoint : "Unspecified/rc1c-external-cloud.net:27018" }", EndPoint: "Unspecified/rc1c-external-cloud.net:27018", ReasonChanged: "Heartbeat", State: "Disconnected", ServerVersion: , TopologyVersion: , Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
   at MongoDB.Driver.Core.Connections.SslStreamFactory.CreateStream(EndPoint endPoint, CancellationToken cancellationToken)
   at MongoDB.Driver.Core.Connections.BinaryConnection.OpenHelper(CancellationToken cancellationToken)
   --- End of inner exception stack trace ---

in deployment i have this step:

command: ["sh", "-c", "curl -o /certs/mongodb/root.crt https://storage.some-cloud.net/cloud-certs/CA.pem && chmod 0644 /certs/mongodb/root.crt"]

Any help would be greatly appreciated.

Sebastian · October 17, 2023, 11:42am

Honestly i have no idea. Have you tried without a cert first?

Jnqa · October 17, 2023, 2:51pm

error without ?tls=true&tlsCAFile=/certs/mongodb/root.crt :

Unhandled exception. Squidex.Hosting.Configuration.ConfigurationException: MongoDb connection failed to connect to database SquidexContent.

 ---> MongoDB.Driver.MongoCommandException: Command createIndexes failed: not authorized on SquidexContent to execute command { createIndexes: "States_Contents_All3", indexes: [ { key: { mt: -1, id: 1, _ai: 1, _si: 1, dl: 1, rf: 1 }, name: "mt_-1_id_1__ai_1__si_1_dl_1_rf_1" }, { key: { _si: 1, dl: 1, mt: -1 }, name: "_si_1_dl_1_mt_-1" }, { key: { rf: 1, _ai: 1, dl: 1 }, name: "rf_1__ai_1_dl_1" }, { key: { sa: 1, dl: 1, _ai: 1, _si: 1 }, name: "sa_1_dl_1__ai_1__si_1" } ], $db: "SquidexContent", lsid: { id: UUID("150ec9bd-8cad-4ede-b6f1-00423c5819c9") }, $clusterTime: { clusterTime: Timestamp(1697552850, 1), signature: { hash: BinData(0, 22007E0DE231A2316D8243627C8A3855F68A465D), keyId: 7265259518479564806 } } }.
   at MongoDB.Driver.Core.WireProtocol.CommandUsingCommandMessageWireProtocol`1.ProcessResponse(ConnectionId connectionId, CommandMessage responseMessage)
   at MongoDB.Driver.Core.WireProtocol.CommandUsingCommandMessageWireProtocol`1.ExecuteAsync(IConnection connection, CancellationToken cancellationToken)
   at MongoDB.Driver.Core.Servers.Server.ServerChannel.ExecuteProtocolAsync[TResult](IWireProtocol`1 protocol, ICoreSession session, CancellationToken cancellationToken)
   at MongoDB.Driver.Core.Operations.CommandOperationBase`1.ExecuteProtocolAsync(IChannelSource channelSource, ICoreSessionHandle session, ReadPreference readPreference, CancellationToken cancellationToken)
   at MongoDB.Driver.Core.Operations.WriteCommandOperation`1.ExecuteAsync(IWriteBinding binding, CancellationToken cancellationToken)
at MongoDB.Driver.Core.Operations.CreateIndexesOperation.ExecuteAsync(IWriteBinding binding, CancellationToken cancellationToken)
   at MongoDB.Driver.OperationExecutor.ExecuteWriteOperationAsync[TResult](IWriteBinding binding, IWriteOperation`1 operation, CancellationToken cancellationToken)
   at MongoDB.Driver.MongoCollectionImpl`1.ExecuteWriteOperationAsync[TResult](IClientSessionHandle session, IWriteOperation`1 operation, CancellationToken cancellationToken)
   at MongoDB.Driver.MongoCollectionImpl`1.MongoIndexManager.CreateManyAsync(IClientSessionHandle session, IEnumerable`1 models, CreateManyIndexesOptions options, CancellationToken cancellationToken)
   at MongoDB.Driver.MongoCollectionImpl`1.UsingImplicitSessionAsync[TResult](Func`2 funcAsync, CancellationToken cancellationToken)
   at Squidex.Infrastructure.MongoDb.MongoRepositoryBase`1.InitializeAsync(CancellationToken ct) in /src/src/Squidex.Infrastructure.MongoDb/MongoDb/MongoRepositoryBase.cs:line 92
   --- End of inner exception stack trace ---

but I can connect to the database via bash without using a certificate.

maybe I’m still using the wrong value of the environment variable? and what environment variable should I use for this at all?

it seems to me that the error is somewhere in this line:

STORE__MONGODB__CONFIGURATION = "mongodb://<user>:<password>@rc1c-url-to-database:27018/squidex-events?replicaSet=rs01&tls=true&tlsCAFile=/certs/mongodb/root.crt"

Sebastian · October 17, 2023, 6:19pm

I think without the cert you do not have the right permissions. Therefore you can connect but not create the idnexes.