Flyway TLS Configuration Issue During MongoDB Migration Setup

[Naveenkumar8055]

Hi Team,
Could someone please take a look at this? I’m not sure what I might be missing, and I would appreciate guidance on the steps or details required to resolve this issue

When running the flyway/flyway:latest-alpine-mongo//flyway:11.17.0-alpine-mongo Docker image to perform migrations against a MongoDB replica set using TLS/SSL with custom CA certificates (mTLS configuration attempted initially), the connection repeatedly times out with a MongoSocketReadException: Prematurely reached end of stream. This occurs even after successfully importing the CA certificate into the JVM trust store via keytool within the container runtime. The core issue seems to be an abrupt connection drop during the TLS handshake phase, potentially related to driver configuration or network handling within the Alpine container environment

flyway docker images used :

1. flyway:latest-alpine-mongo
2. flyway:11.17.0-alpine-mongo

• tried connecting to the single, standalone instance ( without overriding the ssl/tls certificates )

sudo docker run --rm \
  --network="host" \
  -v /home/user/migrations:/flyway/sql \
  -v /tmp/certs:/tmp/certs \
  flyway/flyway:latest-alpine-mongo \
  -url="mongodb://master:19051/dbName?tls=true&tlsCertificateKeyFile=/tmp/certs/client.pem&tlsCAFile=/tmp/certs/ca.crt&authSource=admin" \
  -user="user" \
  -password="passwordl" \
  -locations="filesystem:/flyway/sql" \
  -sqlMigrationSuffixes=".js" \
  migrate

• first import the certificate and then execute Flyway ( this is also tried but same issue seen).
• tried this command which overrides the container's default startup command to use bash instead, allowing us to run the keytool and the flyway command sequentially.

docker run --rm \
    --entrypoint bash \
    -v $(pwd)/mongo_migrations:/flyway/sql \
    -v $(pwd)/certs:/flyway/certs \
    flyway/flyway:11.17.0-alpine-mongo \
    -c "
        # 1. Import the CA certificate into Java's truststore
        keytool -import -trustcacerts -storepass changeit -noprompt \
                -alias mongo_ca -file /flyway/certs/ca.crt;

        # 2. Run the Flyway migration command
        flyway \
            -url='mongodb://host1:19051,host2:19051,host3:19051/mydb?replicaSet=myReplicaSetName&tls=true' \
            -user='yourUsername' \
            -password='yourPassword' \
            -locations='filesystem:/flyway/sql' \
            -sqlMigrationSuffixes='.js' \
            migrate
    "

• Getting ssl handshake issue while connecting to the mongodb ( RSA architecure).

error msg :

ERROR: Timed out while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=UNKNOWN, servers=[{address=master_host:19051, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}, {address=slave_host:19051, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}, {address=arbiter_host:19051, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]

[JasonLuo-Redgate]

Hi @Naveenkumar8055 ,

Any chance you could try the same steps directly from the command-line (using the pre-built binaries at https://github.com/flyway/flyway/releases), instead of using the Docker image, to check if the same issue still occurs?

[JasonLuo-Redgate]

I also noticed your connection URL includes tlsCertificateKeyFile. In this setup, you need to configure the JVM key store as well, not just the trust store.

[Naveenkumar8055]

Hi @Naveenkumar8055 ,

Any chance you could try the same steps directly from the command-line (using the pre-built binaries at https://github.com/flyway/flyway/releases), instead of using the Docker image, to check if the same issue still occurs?

Hi @JasonLuo-Redgate,thanks a lot for your reply.
have tried both the approaches which you have mentioned above and now getting this issue;
steps i followed:

• tried with these versions :

  • flyway-database-mongodb-11.16.0.jar
  • mongo-jdbc-standalone-1.19.jar ( JDBC driver )

  ERROR: No database found to handle jdbc:mongodb://masterHost:19051/garner?tls=true&tlsCertificateKeyFile=/home/user/client.pem&tlsCAFile=/home/user/ca.crt&authSource=admin

[JasonLuo-Redgate]

Hi @Naveenkumar8055 ,

From the output log, it appears that you’re using Native Connectors Mode, which does not rely on the JDBC driver.
Please double-check the installation_dir/drivers/mongo folder, where you should see JAR files like:

[Naveenkumar8055]

Hi @Naveenkumar8055 ,

From the output log, it appears that you’re using Native Connectors Mode, which does not rely on the JDBC driver. Please double-check the installation_dir/drivers/mongo folder, where you should see JAR files like:

Hi @JasonLuo-Redgate ,
with or without JDBC same issue seen,
after some time tried different approaches to address this issue now , got up with this issue.

ERROR: Timed out while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=UNKNOWN, servers=[{address=host:19051, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}] Caused by: com.mongodb.MongoTimeoutException: Timed out while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=UNKNOWN, servers=[{address=host:19051, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}]

tried all of these approaches :

• convert Client PEM to PKCS12
• Configure Flyway with BOTH TrustStore and KeyStore

but issue still persist.

1. Export Args (TrustStore + KeyStore + Debug)

export FLYWAY_JAVA_ARGS='-Djavax.net.debug=ssl:handshake -Djavax.net.ssl.trustStore=custom-truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=custom-keystore.p12 -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStoreType=PKCS12'

2. Run Flyway

./flyway
-url="mongodb://MASTER_HOST:19051/DB_NAME?directConnection=true&tls=true&authSource=admin"
-user="YOUR_USER"
-password="YOUR_PASSWORD"
-locations="filesystem:/FULL/PATH/TO/YOUR/MIGRATION/FOLDER"
-sqlMigrationSuffixes=".js"
migrate