Cluster WaitUntilReadyAsync Timeout error with servers with Certificate Mismatch

When we upgraded from SDK 3.4.6 to 3.4.7, and started using WaitUntilReadyAsync method, this error started to happen:

UnambiguousTimeoutException: Timed out after 00:01:00 with 0nodes

Enabling Couchbase SDK Debug logs, it’s showing that the real reason is:

Error encountered bootstrapping cluster; if the cluster is 6.5 or earlier, this can be ignored. System.AggregateException: Bootstrapping has failed! (The remote certificate is invalid according to the validation procedure.)

However, we explicitly created a ClusterOptions object, with KvIgnoreRemoteCertificateNameMismatch / HttpIgnoreRemoteCertificateMismatch set to true (since in our case, the remote certificate should not be validated).

ClusterOptions _clusterConfiguration = new ClusterOptions
          NumKvConnections = 12,
          EnableConfigPolling = true,
          ConfigPollInterval = TimeSpan.FromMilliseconds(2500),
          ConfigPollFloorInterval = TimeSpan.FromMilliseconds(50),
          KvTimeout = TimeSpan.FromSeconds(10),
          KvConnectTimeout = TimeSpan.FromSeconds(10),
          IdleKvConnectionTimeout = TimeSpan.FromMinutes(2),
          EnableTcpKeepAlives = true,
          TcpKeepAliveTime = TimeSpan.FromSeconds(55),
          TcpKeepAliveInterval = TimeSpan.FromSeconds(5),
          KvIgnoreRemoteCertificateNameMismatch = true,
          HttpIgnoreRemoteCertificateMismatch = true

Checking changes between 3.4.6 and 3.4.7, it looks like the way that this validation happens changed (differences between 3.4.6 and 3.4.7).

Is this a bug? or should we enable a different ClusterOption for skipping the remote certificate error?

(PS: I compared it to the latest SDK version and the same validation is still there)

Hi @futbolsalas15 , there was indeed a change to the validation procedures.

Previously, setting the IgnoreNameMismatch properties cleared both RemoteCertificateNameMismatch and RemoteCertificateChainErrors flags. After this change, it only clears those flags if they were the only errors.

I actually have a change out to add logging to the existing callback methods to put more information in the logs in case of failures. (Loading...)

In the meantime, the easiest way for you to troubleshoot this yourself is to set your own callback on ClusterOptions.KvCertificateCallbackValidation (and Http) and set a breakpoint or do your own logging to see what validation is failing.

In the meantime, I will also try to reproduce your scenario in case WaitUntilReady is somehow not picking up the IgnoreNameMismatch settings properly.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.