MongoDB backups fail with TLS hostname mismatch after Let’s Encrypt rollout (URI host uses container name instead of FQDN)

[yashodhank]

Summary

• Native MongoDB backups in Coolify fail after enabling Let’s Encrypt/TLS because the backup connection string uses the Docker container name as host, while the Mongo server certificate is issued for the public FQDN (Traefik HostSNI). This causes x509 SAN mismatch and backup failure.
• Proposed: when TLS is enabled and a public CA is used, build backup URIs with the FQDN (HostSNI) instead of the container name. Add a per-database override for backup hostname and an opt-in “allow invalid hostnames” toggle for internal setups. Prefer system trust store over custom CA file for LE.

Affected version

• Coolify 4.x (exact image version unknown; issue reproducible on current setup)
• MongoDB images 6/7
• Traefik TLS passthrough with Let’s Encrypt certs

Environment

• Traefik TCP router with SNI hostname:

tcp:
  routers:
    mongo-iwso4ssc8s0sk0gggg0wws4o-router:
      entryPoints: [tcp]
      rule: HostSNI(`mongo-iwso4ssc8s0sk0gggg0wws4o.4d.realdomain.in`)
      service: mongo-iwso4ssc8s0sk0gggg0wws4o-service
      tls:
        passthrough: true
        certResolver: letsencrypt
  services:
    mongo-iwso4ssc8s0sk0gggg0wws4o-service:
      loadBalancer:
        servers:
          - address: iwso4ssc8s0sk0gggg0wws4o:27017

• MongoDB container (server presents LE cert, CA mounted):

services:
    iwso4ssc8s0sk0gggg0wws4o:
        image: 'mongo:latest'
        command:
            - mongod
            - '--tlsMode=allowTLS'
            - '--tlsAllowConnectionsWithoutCertificates'
            - '--tlsAllowInvalidHostnames'
            - '--tlsCAFile'
            - /etc/mongo/certs/ca.pem
            - '--tlsCertificateKeyFile'
            - /etc/mongo/certs/server.pem
        container_name: iwso4ssc8s0sk0gggg0wws4o
        environment:
            - MONGO_INITDB_ROOT_USERNAME=root
            - MONGO_INITDB_ROOT_PASSWORD=<REDACTED>
...
            - /data/coolify/ssl/coolify-ca.crt:/etc/mongo/certs/ca.pem:ro

Steps to reproduce

1. Enable Traefik TCP TLS passthrough with Let’s Encrypt for a MongoDB database (HostSNI = mongo-<db-id>.<domain>).
2. Use Coolify’s native backup for that MongoDB database.
3. Backup fails with TLS verification error.

Actual behavior

• Backup job connects to mongodb://root:<REDACTED>@iwso4ssc8s0sk0gggg0wws4o:27017/?directConnection=true&tls=true&tlsCAFile=/etc/mongo/certs/ca.pem
• Error:

2025-08-12T18:30:36.429+0000 Failed: can't create session: failed to connect to mongodb://...@iwso4ssc8s0sk0gggg0wws4o:27017/?directConnection=true&tls=true&tlsCAFile=/etc/mongo/certs/ca.pem: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: iwso4ssc8s0sk0gggg0wws4o:27017, Type: Unknown, Last error: tls: failed to verify certificate: x509: certificate is valid for mongo-iwso4ssc8s0sk0gggg0wws4o.<domain>, not iwso4ssc8s0sk0gggg0wws4o }, ] }

Expected behavior

• Backup should connect using the hostname that matches the server certificate SAN (the Traefik SNI FQDN), succeeding with TLS verification without disabling security checks.

Root cause analysis

• The backup URI uses the Docker service/container name (e.g., iwso4ssc8s0sk0gggg0wws4o) as host.
• After migrating to Let’s Encrypt, the Mongo server cert’s SAN contains the public FQDN (e.g., mongo-iwso4ssc8s0sk0gggg0wws4o.4d.realdomain.in), not the container name.
• TLS hostname validation fails when the URI host and cert SAN don’t match.

Proposed changes (safe defaults + configurability)

• Use FQDN for TLS backups:
  • When TLS is enabled and certificate type is public CA (e.g., Let’s Encrypt), build the backup connection string with the database’s FQDN (Traefik SNI hostname) instead of the container name.
  • If Traefik dynamic config is present, auto-detect via HostSNI rule; else allow a per-database “Backup hostname” override in UI/API.
• Prefer system trust store for public CA:
  • Omit tlsCAFile when using LE/public CA and rely on system CAs inside the backup runner container.
• Provide user-controlled toggles:
  • “Backup hostname override” input (string).
  • “Allow invalid hostnames for backup” boolean; if enabled, append tlsAllowInvalidHostnames=true to the URI. Default: off.
• URI construction guidelines:
  • mongodb://<user>:<pass>@<fqdn>:27017/?tls=true&authSource=admin
  • Optional: &directConnection=true if needed.
  • Only add tlsCAFile=... for private CAs/self-signed.
• Backward compatibility:
  • If no FQDN available and no override set, fall back to container name but allow enabling the “invalid hostnames” option for internal-only environments.

Acceptance criteria

• Backups succeed when Mongo is fronted by Traefik TLS passthrough with LE certs and the backup uses the SNI FQDN.
• No need to disable hostname verification in the common LE case.
• UI/API supports specifying a backup hostname override and a toggle for allowing invalid hostnames.
• Documentation updated with examples for LE and private CA setups.

Security considerations

• Default keeps hostname verification on for public CA paths.
• “Allow invalid hostnames” is opt-in and clearly marked as reducing security; intended for internal/container-name use only.
• Dropping tlsCAFile for LE removes brittle mount paths and avoids misconfigured trust anchors.

Workarounds (users can apply today)

• Recommended: change backup host to the FQDN on the certificate (Traefik SNI).
  • Example URI: ...@mongo-<db-id>.<domain>:27017/?tls=true&authSource=admin
• If you must keep the container name: append &tlsAllowInvalidHostnames=true to the URI used by the backup job.
• If using LE, omit tlsCAFile and rely on system CAs.

Additional context

• Traefik dynamic TCP config sets SNI to mongo-<db-id>.<domain> and forwards to the container name: this is correct and expected.
• The issue arises only because the backup client strings don’t match the certificate’s hostname.

Suggested implementation sketch

• Add a “backup connection builder” that:
  • Determines hostForBackup:
    • If TLS + public CA: use SNI FQDN (from Traefik dynamic config or user override).
    • Else: use container name.
  • Builds URI with tls=true, includes authSource=admin, and conditionally adds tlsAllowInvalidHostnames and tlsCAFile (for private/self-signed only).
• Provide migration notes in docs and a UI hint in DB settings.

Repro command (for testing fix)

• Using FQDN (should pass without tlsAllowInvalidHostnames):

mongosh "mongodb://root:<REDACTED>@mongo-<db-id>.<domain>:27017/?tls=true&authSource=admin" --eval "db.runCommand('ping')"

• Using container name (only passes with invalid-hostnames flag):

mongodump --uri="mongodb://root:<REDACTED>@<container-name>:27017/?tls=true&authSource=admin&tlsAllowInvalidHostnames=true" --archive=/tmp/test.archive.gz --gzip

Thank you! Happy to help test a PR or provide additional logs.