Trying to connect to Atlas form Google GAE

[emulienfou]

Hello there, I know there is already some issues related to this one, but I didn't find any solution for now. I do not know if it's MongoDB library related or MongoDB Doctrine related so I posted the issue here!

Bug Report

My currently application (Symfony 5) is hosted on Google Cloud App Engine (GAE) and seems to not be able to connect to MongoDB Atlas.
However, because of GAE, I cannot connect on the server using SSH and cannot test the database connection using mongo shell.

I always get the next error message:

No suitable servers found: serverselectiontimeoutms timed out: [Failed to receive length header from server. calling ismaster on 'maincluster-shard-00-00-ev9mm.mongodb.net:27017'] [Failed to receive length header from server. calling ismaster on 'maincluster-shard-00-01-ev9mm.mongodb.net:27017'] [Failed to receive length header from server. calling ismaster on 'maincluster-shard-00-02-ev9mm.mongodb.net:27017']

Environment

• PHP Version 7.3.10
• MongoDB extension version: 1.5.3
• MongoDB extension stability stable
• libbson bundled version 1.13.0
• libmongoc bundled version 1.13.0
• libmongoc SSL enabled
• libmongoc SSL library OpenSSL
• libmongoc crypto enabled
• libmongoc crypto library libcrypto
• libmongoc crypto system profile disabled
• libmongoc SASL enabled
• libmongoc ICU enabled
• libmongoc compression enabled
• libmongoc compression snappy disabled
• libmongoc compression zlib enabled

Debug

Capturing data for mongodb.com

array:16 [▼
  "name" => "/CN=*.mongodb.com"
  "subject" => array:1 [▼
    "CN" => "*.mongodb.com"
  ]
  "hash" => "25b5db5f"
  "issuer" => array:4 [▼
    "C" => "US"
    "O" => "Amazon"
    "OU" => "Server CA 1B"
    "CN" => "Amazon"
  ]
  "version" => 2
  "serialNumber" => "11196262090229725019049720558474204554"
  "serialNumberHex" => "086C525729547748AFC6C25A9E6F958A"
  "validFrom" => "190312000000Z"
  "validTo" => "200412120000Z"
  "validFrom_time_t" => 1552348800
  "validTo_time_t" => 1586692800
  "signatureTypeSN" => "RSA-SHA256"
  "signatureTypeLN" => "sha256WithRSAEncryption"
  "signatureTypeNID" => 668
  "purposes" => array:9 [▼
    1 => array:3 [▼
      0 => true
      1 => false
      2 => "sslclient"
    ]
    2 => array:3 [▼
      0 => true
      1 => false
      2 => "sslserver"
    ]
    3 => array:3 [▼
      0 => true
      1 => false
      2 => "nssslserver"
    ]
    4 => array:3 [▼
      0 => false
      1 => false
      2 => "smimesign"
    ]
    5 => array:3 [▼
      0 => false
      1 => false
      2 => "smimeencrypt"
    ]
    6 => array:3 [▼
      0 => false
      1 => false
      2 => "crlsign"
    ]
    7 => array:3 [▼
      0 => true
      1 => true
      2 => "any"
    ]
    8 => array:3 [▼
      0 => true
      1 => false
      2 => "ocsphelper"
    ]
    9 => array:3 [▼
      0 => false
      1 => false
      2 => "timestampsign"
    ]
  ]
  "extensions" => array:10 [▼
    "authorityKeyIdentifier" => "keyid:59:A4:66:06:52:A0:7B:95:92:3C:A3:94:07:27:96:74:5B:F9:3D:D0"
    "subjectKeyIdentifier" => "D1:76:A1:5C:86:0C:08:0E:2C:E2:50:5C:5B:1C:EB:3F:4C:B9:63:4B"
    "subjectAltName" => "DNS:*.mongodb.com, DNS:*.corp.mongodb.com, DNS:*.support.mongodb.com"
    "keyUsage" => "Digital Signature, Key Encipherment"
    "extendedKeyUsage" => "TLS Web Server Authentication, TLS Web Client Authentication"
    "crlDistributionPoints" => """
      
      Full Name:
        URI:http://crl.sca1b.amazontrust.com/sca1b.crl
      """
    "certificatePolicies" => """
      Policy: 2.16.840.1.114412.1.2
      Policy: 2.23.140.1.2.1
      """
    "authorityInfoAccess" => """
      OCSP - URI:http://ocsp.sca1b.amazontrust.com
      CA Issuers - URI:http://crt.sca1b.amazontrust.com/sca1b.crt
      """
    "basicConstraints" => "CA:FALSE"
    "ct_precert_scts" => """
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                      A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
          Timestamp : Mar 12 21:26:08.058 2019 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:45:02:20:55:64:E5:05:33:85:1D:4D:B2:32:4A:2C:
                      1E:1E:F3:94:D1:B8:B7:E9:27:9C:85:F5:3D:53:7D:05:
                      89:8C:2C:11:02:21:00:D6:FA:80:C4:0E:E9:DC:E6:0C:
                      9F:FD:AF:54:22:D0:C7:36:E2:AF:5D:40:B0:49:00:F3:
                      F6:54:32:C1:BD:8A:29
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : 87:75:BF:E7:59:7C:F8:8C:43:99:5F:BD:F3:6E:FF:56:
                      8D:47:56:36:FF:4A:B5:60:C1:B4:EA:FF:5E:A0:83:0F
          Timestamp : Mar 12 21:26:08.377 2019 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:44:02:20:51:B3:12:DE:CE:8D:1F:75:AE:69:E8:D1:
                      99:3B:12:AA:92:7C:64:2F:4A:8C:4A:93:7B:AA:04:79:
                      D8:B0:7E:1E:02:20:65:8A:E5:3F:92:D5:44:F1:6A:29:
                      8E:F9:D2:3B:B3:AD:F6:1A:4A:98:F4:1F:F1:8B:AD:02:
                      CA:87:E1:0E:E8:89
      """
  ]
]

Capturing data formaincluster-shard-00-00-ev9mm.mongodb.net

array:16 [▼
  "name" => "/C=US/ST=New York/L=New York/O=MongoDB, Inc./OU=Cloud SRE/CN=*.mongodb.net"
  "subject" => array:6 [▼
    "C" => "US"
    "ST" => "New York"
    "L" => "New York"
    "O" => "MongoDB, Inc."
    "OU" => "Cloud SRE"
    "CN" => "*.mongodb.net"
  ]
  "hash" => "c56ebf79"
  "issuer" => array:3 [▼
    "C" => "US"
    "O" => "DigiCert Inc"
    "CN" => "DigiCert SHA2 Secure Server CA"
  ]
  "version" => 2
  "serialNumber" => "18639574192117345081954476873740345950"
  "serialNumberHex" => "0E05D9F5EC0B3B40C028B0C3EEE2625E"
  "validFrom" => "180207000000Z"
  "validTo" => "210211120000Z"
  "validFrom_time_t" => 1517961600
  "validTo_time_t" => 1613044800
  "signatureTypeSN" => "RSA-SHA256"
  "signatureTypeLN" => "sha256WithRSAEncryption"
  "signatureTypeNID" => 668
  "purposes" => array:9 [▼
    1 => array:3 [▼
      0 => true
      1 => false
      2 => "sslclient"
    ]
    2 => array:3 [▼
      0 => true
      1 => false
      2 => "sslserver"
    ]
    3 => array:3 [▼
      0 => true
      1 => false
      2 => "nssslserver"
    ]
    4 => array:3 [▶]
    5 => array:3 [▼
      0 => false
      1 => false
      2 => "smimeencrypt"
    ]
    6 => array:3 [▼
      0 => false
      1 => false
      2 => "crlsign"
    ]
    7 => array:3 [▼
      0 => true
      1 => true
      2 => "any"
    ]
    8 => array:3 [▼
      0 => true
      1 => false
      2 => "ocsphelper"
    ]
    9 => array:3 [▼
      0 => false
      1 => false
      2 => "timestampsign"
    ]
  ]
  "extensions" => array:10 [▼
    "authorityKeyIdentifier" => "keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2"
    "subjectKeyIdentifier" => "A0:5E:6A:96:66:1B:B3:0D:01:C0:D5:95:43:83:11:8A:3C:38:2F:51"
    "subjectAltName" => "DNS:*.mongodb.net, DNS:mongodb.net"
    "keyUsage" => "Digital Signature, Key Encipherment"
    "extendedKeyUsage" => "TLS Web Server Authentication, TLS Web Client Authentication"
    "crlDistributionPoints" => """
      
      Full Name:
        URI:http://crl3.digicert.com/ssca-sha2-g6.crl
      
      Full Name:
        URI:http://crl4.digicert.com/ssca-sha2-g6.crl
      """
    "certificatePolicies" => """
      Policy: 2.16.840.1.114412.1.1
        CPS: https://www.digicert.com/CPS
      Policy: 2.23.140.1.2.2
      """
    "authorityInfoAccess" => """
      OCSP - URI:http://ocsp.digicert.com
      CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
      """
    "basicConstraints" => "CA:FALSE"
    "ct_precert_scts" => """
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                      3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
          Timestamp : Feb  7 18:15:14.081 2018 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:46:02:21:00:9C:B7:CD:69:27:3A:CE:5C:C8:30:5C:
                      6D:ED:B3:91:50:13:34:C7:ED:EB:77:79:91:FE:73:3D:
                      42:A4:13:D6:6F:02:21:00:9F:66:4D:2E:C6:08:CF:2B:
                      60:4E:BD:A5:04:F2:A8:5D:65:91:8E:92:F3:A3:8E:32:
                      A0:C2:80:B7:79:C5:F6:25
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : 87:75:BF:E7:59:7C:F8:8C:43:99:5F:BD:F3:6E:FF:56:
                      8D:47:56:36:FF:4A:B5:60:C1:B4:EA:FF:5E:A0:83:0F
          Timestamp : Feb  7 18:15:14.296 2018 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:44:02:20:31:48:26:D7:76:02:E6:A0:52:22:CB:47:
                      33:6F:91:55:1C:C4:26:1C:DC:88:8C:D2:D2:A3:27:61:
                      B2:EC:14:72:02:20:0D:0C:F9:0C:8B:DF:82:5D:5B:96:
                      B4:93:AB:36:4B:48:4E:67:07:5F:B2:56:35:E3:09:00:
                      D9:63:40:CD:A6:83
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
                      38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
          Timestamp : Feb  7 18:15:14.246 2018 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:45:02:20:67:34:5A:12:9A:9F:92:07:0C:84:7C:C5:
                      38:0F:EC:04:5F:22:21:CA:FD:31:4A:9A:A3:48:E0:86:
                      A8:05:4A:5E:02:21:00:9E:43:C0:94:D3:37:46:36:A8:
                      14:32:5C:2C:B7:B9:6F:49:ED:1F:BB:AF:96:18:2E:E1:
                      BE:6E:A0:DC:2C:2B:83
      Signed Certificate Timestamp:
          Version   : v1 (0x0)
          Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                      15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
          Timestamp : Feb  7 18:15:14.824 2018 GMT
          Extensions: none
          Signature : ecdsa-with-SHA256
                      30:46:02:21:00:D8:53:0C:90:44:D3:E4:E4:1F:28:BD:
                      F4:A2:91:99:D3:1C:83:59:A4:15:6C:E6:F9:DB:AE:95:
                      A2:89:E0:E8:02:02:21:00:D1:AA:41:BC:98:D6:42:72:
                      A9:6D:CB:19:54:EC:A7:F3:F4:53:25:B1:BA:45:54:08:
                      F3:45:9D:A9:74:FB:1B:AE
      """
  ]
]

Thanks for your help

[jmikola]

The error message doesn't hint at a TLS certificate error, so I believe this is a case of your GAE server not being able to open a socket to the Atlas cluster.

Are you able to connect to the Atlas cluster outside of GAE (e.g. using a shell on your development machine)? Note that each Atlas cluster has an IP whitelist, so you will need to add application servers and/or development machines to that whitelist in order to connect to the cluster. Failure to do so will cause Atlas to drop incoming connections, which is what we might be seeing here.

I would suggest you start by adding your development machine to the Atlas whitelist and verifying that you can connect to the cluster (either using the PHP driver locally or the mongo shell). After that, you can look into adding the GAE server's IP to your whitelist and attempt a connection through your application. If you need assistance configuring the whitelist, I would suggest you go through Atlas support, as they likely have more experience guiding users through that process.

[emulienfou]

Hi @jmikola forgot to add this information in my issue, but yes I can connect from my local/dev environment.
For test purpose (I know it's bad) I whitelist everything (0.0.0.0/0).

[jmikola]

Searching for "Google Cloud App Engine php outgoing connection" turned up some threads about folks having general issues making outgoing connections from GAE-hosted applications and lead me to Setting up a firewall rule to allow outbound traffic on a custom port in Google's own documentation. This is nestled under a tutorial for sending e-mail but appears to refer to general firewall configurations for outgoing connections.

I'm not sure what cloud provider you're using in Atlas, but Google Cloud is a supported option so I would suggest looking into that if you've not already. At the very least, you should reduce latency by keeping app servers and your database in the same cloud provider and availability zoon. One might hope that GAE would allow connections to other, internal services within Google Cloud by default, but perhaps that still requires an explicit firewall rule since Atlas' instances would still be outside of our own account.

[emulienfou]

Hello @jmikola, So yes I deployed my MongoDB Atlas server in the Google Cloud Platform.
Here's what I already try and seems to not working:

1. Configuring the GCP firewall to allow everything in inbound/outbound:
   Egress | Apply to all | IP ranges: 0.0.0.0/0 | tcp:27017 | Allow | 1000
Ingress | Apply to all | IP ranges: 0.0.0.0/0 | tcp:27017 | Allow | 1000
2. Create a VPC network peering between my Atlas Cluster and personal GCP accounts.

• However, 1 thing I'm not totaly sure, is the Atlas CIDR who is the default value 192.168.0.0/16.
• An other think is I did not know if I needed to Exchange custom routes when creating my VPC peering.

[jmikola]

These questions are veering outside of my subject area (and likely the scope of the driver itself), so I think you'd have better luck asking Atlas support. They should be able to answer those questions and may have additional insights that would help troubleshoot your connectivity issues.

I have one last suggestion that may be helpful to test connectivity without using the driver at all. #313 (comment) demonstrates how to use file_get_contents() to connect to an Atlas host, dump its SSL certificate, and dump an error message from the mongod server by attempting to issue an HTTP request to the standard database port. That's a common procedure I've shared with users facing TLS issues, but I think it'd also help test for basic connectivity. Note that this may not work for free/shared tier hosts, as the HTTP test depends on functionality in the mongod process that displays an error when it detects HTTP traffic on the database port (the Atlas proxy used on shared plans does not behave the same way).

If you are able to run that successfully from the same GCP app server, but not connect using the driver, that would hint at some issue with the driver itself. Otherwise, it may be useful as a bare bones test for diagnosing network connectivity with the Atlas support team -- akin to attempting to ping an Atlas server from an application server where you might otherwise have shell access.

[emulienfou]

Hi @jmikola I will contact the MongoDB Atlas support about that!
About the test you suggest me to do, I already do it in the beginning before opening this issue.