Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
551 questions
Cosmosdb throwing MongoServerSelectionError: Hostname/IP does not match certificate's altnames
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 9%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Bharath
10
Reputation points
I have a nodejs application deployed in Azure as a containerApp. the app tries to connect to cosmosdb through a private link. The private link format:
testcosmosdb.privatelink.mongo.cosmos.azure.com
The connection string is sent as environment variable to the containerApp.
If i do the lookup of the privateendpoint like
nslookup testcosmosdb.privatelink.mongo.cosmos.azure.com
i get proper response:
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
testcosmosdb.privatelink.mongo.cosmos.azure.com canonical name = ccd-ns-prod-westeurope1-fe1.westeurope.cloudapp.azure.com.
Name: ccd-ns-prod-westeurope1-fe1.westeurope.cloudapp.azure.com
Address: 20.62.94.0
The connection string is in this format.
MONGODB_CONNECTION="mongodb://testcosmosdb:xR7xqQPOeMegN2LuXPVt5IUwb9HsGEyC0mkASzNwlmb6PEwehRkZCNpfrCxHHErqyP7lCXjxjWwACDbftND3w==@testcosmosdb.privatelink.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=@testcosmosdb@"
The app tries a GET request to the database to get a collection. The response is below error:
'testcosmosdb.privatelink.mongo.cosmos.azure.com:10255' => [ServerDescription]
2023-07-11T14:00:08.069109163Z },
2023-07-11T14:00:08.069112216Z stale: false,
2023-07-11T14:00:08.069115209Z compatible: true,
2023-07-11T14:00:08.069118394Z heartbeatFrequencyMS: 10000,
2023-07-11T14:00:08.069121555Z localThresholdMS: 15,
2023-07-11T14:00:08.069124931Z setName: 'globaldb',
2023-07-11T14:00:08.069128236Z maxElectionId: null,
2023-07-11T14:00:08.069131453Z maxSetVersion: null,
2023-07-11T14:00:08.069134406Z commonWireVersion: 0,
2023-07-11T14:00:08.069137807Z logicalSessionTimeoutMinutes: null
2023-07-11T14:00:08.069140916Z },
2023-07-11T14:00:08.069143973Z code: undefined,
2023-07-11T14:00:08.069147047Z [Symbol(errorLabels)]: Set(0) {}
2023-07-11T14:00:08.069150861Z } [
2023-07-11T14:00:08.069154135Z "MongoServerSelectionError: Hostname/IP does not match certificate's altnames: Host: testcosmosdb.privatelink.mongo.cosmos.azure.com. is not in the cert's altnames: DNS:*.gremlin.cosmosdb.azure.com, DNS:*.cassandra.cosmosdb.azure.com, DNS:*.table.cosmosdb.azure.com, DNS:*.sql.cosmosdb.azure.com, DNS:*.etcd.cosmosdb.azure.com, DNS:*.gremlin.cosmos.azure.com, DNS:*.mongo.cosmos.azure.com, DNS:*.cassandra.cosmos.azure.com, DNS:*.table.cosmos.azure.com, DNS:*.sql.cosmos.azure.com, DNS:*.etcd.cosmos.azure.com, DNS:*.documents.azure.com",
2023-07-11T14:00:08.069157771Z ' at Timeout._onTimeout (/app/node_modules/mongodb/lib/sdam/topology.js:277:38)',
2023-07-11T14:00:08.069161389Z ' at listOnTimeout (node:internal/timers:559:17)',
2023-07-11T14:00:08.069164941Z ' at processTimers (node:internal/timers:502:7)'
2023-07-11T14:00:08.069168492Z ]
Can anyone help here? Thanks
Azure Private Link
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,901 questions
{count} votes
-
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator2023-07-12T04:34:14.59+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Can you just use "testcosmosdb.mongo.cosmos.azure.com" and give it a try?
- Generally, for resolution happening within Azure, there is no requirement to include the "privatelink" domain in the DNS Queries.
- In fact, it is just there for the platform to understand that the resolution should use Private DNS Zone.
Cheers,
Kapil
-
Bharath 10 Reputation points
2023-07-12T11:34:39.62+00:00 @KapilAnanth-MSFT Thank you , i tried without privatelink ie only using
mongodb://testcosmosdb:xR7xqQPOeMegN2LuXPVt5IUwb9HsGEyC0mkASzNwlmb6PEwehRkZCNpfrCxHHErqyP7lCXjxjWwACDbftND3w==@testcosmosdb.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=@testcosmosdb@now i am getting this error:
MongoServerSelectionError: connection <monitor> to 20.62.77.0:10255 closed -
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2023-07-12T11:40:04.9866667+00:00 From the server, can you do
- nslookup testcosmosdb.mongo.cosmos.azure.com
- nslookup testcosmosdb.mongo.cosmos.azure.com 168.63.129.16
and share the result?
Also, I see you are using a custom DNS Server in Azure VNet, is that correct?
Cheers,
Kapil
-
Bharath 10 Reputation points
2023-07-12T14:30:10.1+00:00 @Kapilananth Now i tried using my localhost to connect to the MongoDB instance. Since the mongodb has property set to
publicNetworkAccess: 'Enabled'I should be able to connect to it. But I m still getting the same error when i use without the private link:
MongoServerSelectionError: connection <monitor> to 20.63.92.0:10255 closed at Timeout._onTimeout (/my-dev/node_modules/mongodb/lib/sdam/topology.js:277:38) at listOnTimeout (node:internal/timers:559:17) at processTimers (node:internal/timers:502:7) { reason: TopologyDescription { type: 'ReplicaSetNoPrimary', servers: Map(1) { 'testcosmosdb.mongo.cosmos.azure.com:10255' => [ServerDescription] }, stale: false, compatible: true, heartbeatFrequencyMS: 10000, localThresholdMS: 15, setName: 'globaldb', maxElectionId: null, maxSetVersion: null, commonWireVersion: 0, logicalSessionTimeoutMinutes: null }, code: undefined, [Symbol(errorLabels)]: Set(0) {} } [ 'MongoServerSelectionError: connection <monitor> to 20.63.92.0:10255 closed', ' at Timeout._onTimeout (/my-dev/node_modules/mongodb/lib/sdam/topology.js:277:38)', ' at listOnTimeout (node:internal/timers:559:17)', ' at processTimers (node:internal/timers:502:7)' ]As you suggested i did ns lookup from local machine and got 2 different results.
nslookup testcosmosdb.mongo.cosmos.azure.comServer: 3201:1200:61a9:6b1c::eeAddress: 2301:3900:71c9:5f1c::8e#53Non-authoritative answer:testcosmosdb.mongo.cosmos.azure.com canonical name = testcosmosdb.privatelink.mongo.cosmos.azure.com.testcosmosdb.privatelink.mongo.cosmos.azure.com canonical name = ces-ms-prod-westeurope1-fe1.westeurope.cloudapp.azure.com.Name: ces-ms-prod-westeurope1-fe1.westeurope.cloudapp.azure.comAddress: 20.63.92.0nslookup testcosmosdb.mongo.cosmos.azure.com 168.63.129.16;; connection timed out; no servers could be reachedalso my containerApp is not integrated with the same vNet as the private endpoint.
-
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator
2023-07-12T14:50:47.1633333+00:00 By LocalHost, I take it that you mean your local server outside Azure.
- This testing is wrong and will not yield any results.
- Local servers cannot connect to Private Links unless and until you have a VPN/ExpressRoute to Azure and even then, it should be configured properly.
Can you please do a nslookup from the ContainerApp in Azure VNet?
Also, if you say that even Public Access is not working,
- Then shouldn't you be troubleshooting that first?
- Only then should you look into why Private EndPoints are not working.
Cheers,
Kapil
-
Bharath 10 Reputation points
2023-07-12T15:45:12.1266667+00:00 Hi @KapilAnanth-MSFT the mongodb is public access enabled as shown in the property. I am using the public endpoint without privatelink from my local machine to connect it. Yet this is throwing the error:
'MongoServerSelectionError: connection <monitor> to 20.63.92.0:10255 closed', ' at Timeout._onTimeout (/my-dev/node_modules/mongodb/lib/sdam/topology.js:277:38)', ' at listOnTimeout (node:internal/timers:559:17)', ' at processTimers (node:internal/timers:502:7)'This should not happen as i am not using privatelink endpoint in my connection string. I have removed that part. Also i have used many instances of cosmosdb where privatelink is not enabled and i am able to connect from my localhost application.
This particular mongodb instance has both private endpoint as well as public access enabled and i am getting the above error.
Sign in to comment
Sign in to answer