Skip to main content

Unable to Connect to MongoDB with SSL/TLS Certificate - PKIX Path Building Failed Error

Lora Griffin
Updated

Applies to

  • Liquibase Secure (Pro)
  • Liquibase Community (Open Source)

Conditions

  • Liquibase MongoDB Secure extension 
  • MongoDB with SSL/TLS enabled 
  • Using custom CA certificates (e.g., root.pem)

 

Issue Summary

When attempting to connect Liquibase to a MongoDB database that requires SSL/TLS with a custom certificate, the connection fails with a certificate validation error. This commonly occurs when setting up Liquibase locally or after upgrading Liquibase versions, even though other MongoDB client tools (such as MongoDB Compass) can connect successfully using the same certificate file.

Error Message

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Root Cause

This error occurs when the Java Virtual Machine (JVM) cannot verify the SSL/TLS certificate presented by the MongoDB server because:

  1. The certificate authority (CA) that issued the server's certificate is not registered in the JVM's truststore.
  2. The custom CA certificate (such as root.pem) has not been imported into the JVM truststore that Liquibase uses.
  3. The certificate may be specified in the connection string (e.g., via tlsCAFile parameter), but the JVM doesn't automatically trust it unless it's explicitly registered.

This issue commonly occurs in local development environments where the certificate registration step has been performed in CI/CD pipelines or other environments but hasn't been replicated locally.

 

Resolution

Option 1: Import Certificate into JVM Truststore (Recommended)

Import the certificate into your JVM's default truststore using the keytool command:

keytool -import -trustcacerts -alias my-mongo-ca -file /path/to/your/root.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

Important notes:

  • Replace /path/to/your/root.pem with the actual path to your certificate file
  • Replace my-mongo-ca with a descriptive alias name for your certificate
  • The default truststore password is typically changeit
  • You may need to run this command with elevated privileges (sudo on macOS/Linux)
  • Start a new terminal session after importing the certificate
  • Ensure you're using the correct $JAVA_HOME path. You can verify it with:
    • echo $JAVA_HOME

 

Option 2: Use Custom Truststore with JVM Options

If you don't want to modify the default JVM truststore, you can specify a custom truststore using JVM options when running Liquibase:

liquibase --jvm-args="-Djavax.net.ssl.trustStore=/path/to/your/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword" [command]

 

Verification Steps

  1. Test the connection outside Liquibase first - Use tools like MongoDB Compass or DBeaver to verify your certificate file is valid and the connection parameters are correct
  2. Verify your certificate file - Ensure the certificate file (e.g., root.pem) contains the complete certificate chain
  3. Check your CI/CD pipeline configuration - If connections work in your pipeline but not locally, review the pipeline scripts for certificate registration commands that need to be replicated locally
  4. Verify Liquibase MongoDB Secure extension version - Ensure you're using the correct version of the Liquibase MongoDB Secure extension that matches your Liquibase version
    • When using Liquibase Secure, your MongoDB JAR should be 'liquibase-commercial-mongodb.jar'.
    • The 'liquibase-mongodb-<version>.jar' MongoDB JAR is only for Liquibase Community (OSS).
    • You should not have both the Secure and Community JARs installed together.
  5. Test the connection - After registering the certificate, test with:
    • liquibase --url="mongodb://..." --username=user --password=pass connect

 

Troubleshooting

  • If the issue persists after importing the certificate, verify that you've started a new terminal session.
  • Confirm that $JAVA_HOME points to the correct Java installation.
  • If using multiple Java versions, ensure the certificate is imported to the truststore of the Java version Liquibase is using.
  • Check that the alias you're using doesn't already exist in the truststore (or use -delete to remove the old entry first).

 

Related Article(s)

Related to

Related articles

Comments

0 comments

Article is closed for comments.