SSL Connections

Mongoose supports connecting to MongoDB clusters that require SSL connections. Setting the ssl option to true in mongoose.connect() or your connection string is enough to connect to a MongoDB cluster using SSL:

mongoose.connect('mongodb://localhost:27017/test', { ssl: true });

// Equivalent:
mongoose.connect('mongodb://localhost:27017/test?ssl=true');

The ssl option defaults to false for connection strings that start with mongodb://. However, the ssl option defaults to true for connection strings that start with mongodb+srv://. So if you are using an srv connection string to connect to MongoDB Atlas, SSL is enabled by default.

If you try to connect to a MongoDB cluster that requires SSL without enabling the ssl option, mongoose.connect() will error out with the below error:

MongooseServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed
    at NativeConnection.Connection.openUri (/node_modules/mongoose/lib/connection.js:800:32)
    ...

SSL Validation

By default, Mongoose validates the SSL certificate against a certificate authority to ensure the SSL certificate is valid. To disable this validation, set the sslValidate option to false.

mongoose.connect('mongodb://localhost:27017/test', {
  ssl: true,
  sslValidate: false
});

In most cases, you should not disable SSL validation in production. However, sslValidate: false is often helpful for debugging SSL connection issues. If you can connect to MongoDB with sslValidate: false, but not with sslValidate: true, then you can confirm Mongoose can connect to the server and the server is configured to use SSL correctly, but there's some issue with the SSL certificate.

For example, a common issue is the below error message:

MongooseServerSelectionError: unable to verify the first certificate

This error is often caused by self-signed MongoDB certificates or other situations where the certificate sent by the MongoDB server is not registered with an established certificate authority. The solution is to set the sslCA option, which essentially sets a list of allowed SSL certificates.

await mongoose.connect('mongodb://localhost:27017/test', {
  ssl: true,
  sslValidate: true,
  // For example, see https://medium.com/@rajanmaharjan/secure-your-mongodb-connections-ssl-tls-92e2addb3c89
  // for where the `rootCA.pem` file comes from.
  // Please note that, in Mongoose >= 5.8.3, `sslCA` needs to be
  // the **path to** the CA file, **not** the contents of the CA file
  sslCA: `${__dirname}/rootCA.pem`
});

Another common issue is the below error message:

MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: Host: hostname1. is not cert's CN: hostname2

The SSL certificate's common name must line up with the host name in your connection string. If the SSL certificate is for hostname2.mydomain.com, your connection string must connect to hostname2.mydomain.com, not any other hostname or IP address that may be equivalent to hostname2.mydomain.com. For replica sets, this also means that the SSL certificate's common name must line up with the machine's hostname.