Mongodb connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed...
up vote
0
down vote
favorite
I set up a mongoDB database with SSL security on an Ubuntu 16.04.5 LTS server and I have been using it for a few months. To set up SSL on mongo I followed the tutorial by Rajan Maharjan on medium.com (link). Coming back to my server after a short period of not using it, I received the following error message:
SSL peer certificate validation failed: certificate has expired
Looking at the mongo log, I found:
[PeriodicTaskRunner] Server certificate is now invalid. It expired on 2018-11-10T08:10:11.000Z
So I regenerated and re-signed all my certificates with the rootCA.key file, following the same steps as when creating certificates for the first time. I restarted mongod with:
service mongod restart
And now I have the "self signed certificate" error:
MongoDB shell version v4.0.2
connecting to: mongodb://IP:port/
2018-11-21T13:11:10.584+0000 E NETWORK [js] SSL peer certificate
validation failed: self signed certificate
2018-11-21T13:11:10.584+0000 E QUERY [js] Error:
couldn't connect to server IP:port, connection attempt failed:
SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed
My connection string is the following:
mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:port
I have not found any resources on re-signing certificates for mongoDB. Any help would be much appreciated.
EDIT
/etc/mongod.conf :
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: PORT
bindIp: IP
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
security:
authorization: "enabled"
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
mongodb ssl openssl ubuntu-16.04
|
show 3 more comments
up vote
0
down vote
favorite
I set up a mongoDB database with SSL security on an Ubuntu 16.04.5 LTS server and I have been using it for a few months. To set up SSL on mongo I followed the tutorial by Rajan Maharjan on medium.com (link). Coming back to my server after a short period of not using it, I received the following error message:
SSL peer certificate validation failed: certificate has expired
Looking at the mongo log, I found:
[PeriodicTaskRunner] Server certificate is now invalid. It expired on 2018-11-10T08:10:11.000Z
So I regenerated and re-signed all my certificates with the rootCA.key file, following the same steps as when creating certificates for the first time. I restarted mongod with:
service mongod restart
And now I have the "self signed certificate" error:
MongoDB shell version v4.0.2
connecting to: mongodb://IP:port/
2018-11-21T13:11:10.584+0000 E NETWORK [js] SSL peer certificate
validation failed: self signed certificate
2018-11-21T13:11:10.584+0000 E QUERY [js] Error:
couldn't connect to server IP:port, connection attempt failed:
SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed
My connection string is the following:
mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:port
I have not found any resources on re-signing certificates for mongoDB. Any help would be much appreciated.
EDIT
/etc/mongod.conf :
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: PORT
bindIp: IP
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
security:
authorization: "enabled"
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
mongodb ssl openssl ubuntu-16.04
Are you using the correct sslCAFile? Shouldn't it be/PATH/TO/abc.crt
?
– Aniket Maithani
Nov 21 at 14:16
@AniketMaithani I tried using the .crt as per your suggestion, I getError: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.
– Nicolas Gaborel
Nov 21 at 15:09
Adding the--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message:[js] Error: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log.
– Nicolas Gaborel
Nov 27 at 15:24
1
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but withmongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I getexception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following errorWARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57
|
show 3 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I set up a mongoDB database with SSL security on an Ubuntu 16.04.5 LTS server and I have been using it for a few months. To set up SSL on mongo I followed the tutorial by Rajan Maharjan on medium.com (link). Coming back to my server after a short period of not using it, I received the following error message:
SSL peer certificate validation failed: certificate has expired
Looking at the mongo log, I found:
[PeriodicTaskRunner] Server certificate is now invalid. It expired on 2018-11-10T08:10:11.000Z
So I regenerated and re-signed all my certificates with the rootCA.key file, following the same steps as when creating certificates for the first time. I restarted mongod with:
service mongod restart
And now I have the "self signed certificate" error:
MongoDB shell version v4.0.2
connecting to: mongodb://IP:port/
2018-11-21T13:11:10.584+0000 E NETWORK [js] SSL peer certificate
validation failed: self signed certificate
2018-11-21T13:11:10.584+0000 E QUERY [js] Error:
couldn't connect to server IP:port, connection attempt failed:
SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed
My connection string is the following:
mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:port
I have not found any resources on re-signing certificates for mongoDB. Any help would be much appreciated.
EDIT
/etc/mongod.conf :
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: PORT
bindIp: IP
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
security:
authorization: "enabled"
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
mongodb ssl openssl ubuntu-16.04
I set up a mongoDB database with SSL security on an Ubuntu 16.04.5 LTS server and I have been using it for a few months. To set up SSL on mongo I followed the tutorial by Rajan Maharjan on medium.com (link). Coming back to my server after a short period of not using it, I received the following error message:
SSL peer certificate validation failed: certificate has expired
Looking at the mongo log, I found:
[PeriodicTaskRunner] Server certificate is now invalid. It expired on 2018-11-10T08:10:11.000Z
So I regenerated and re-signed all my certificates with the rootCA.key file, following the same steps as when creating certificates for the first time. I restarted mongod with:
service mongod restart
And now I have the "self signed certificate" error:
MongoDB shell version v4.0.2
connecting to: mongodb://IP:port/
2018-11-21T13:11:10.584+0000 E NETWORK [js] SSL peer certificate
validation failed: self signed certificate
2018-11-21T13:11:10.584+0000 E QUERY [js] Error:
couldn't connect to server IP:port, connection attempt failed:
SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed
My connection string is the following:
mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:port
I have not found any resources on re-signing certificates for mongoDB. Any help would be much appreciated.
EDIT
/etc/mongod.conf :
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: PORT
bindIp: IP
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
security:
authorization: "enabled"
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
mongodb ssl openssl ubuntu-16.04
mongodb ssl openssl ubuntu-16.04
edited Nov 28 at 8:53
asked Nov 21 at 13:23
Nicolas Gaborel
287
287
Are you using the correct sslCAFile? Shouldn't it be/PATH/TO/abc.crt
?
– Aniket Maithani
Nov 21 at 14:16
@AniketMaithani I tried using the .crt as per your suggestion, I getError: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.
– Nicolas Gaborel
Nov 21 at 15:09
Adding the--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message:[js] Error: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log.
– Nicolas Gaborel
Nov 27 at 15:24
1
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but withmongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I getexception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following errorWARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57
|
show 3 more comments
Are you using the correct sslCAFile? Shouldn't it be/PATH/TO/abc.crt
?
– Aniket Maithani
Nov 21 at 14:16
@AniketMaithani I tried using the .crt as per your suggestion, I getError: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.
– Nicolas Gaborel
Nov 21 at 15:09
Adding the--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message:[js] Error: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log.
– Nicolas Gaborel
Nov 27 at 15:24
1
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but withmongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I getexception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following errorWARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57
Are you using the correct sslCAFile? Shouldn't it be
/PATH/TO/abc.crt
?– Aniket Maithani
Nov 21 at 14:16
Are you using the correct sslCAFile? Shouldn't it be
/PATH/TO/abc.crt
?– Aniket Maithani
Nov 21 at 14:16
@AniketMaithani I tried using the .crt as per your suggestion, I get
Error: network error while attempting to run command 'isMaster' on host
and SSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.– Nicolas Gaborel
Nov 21 at 15:09
@AniketMaithani I tried using the .crt as per your suggestion, I get
Error: network error while attempting to run command 'isMaster' on host
and SSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.– Nicolas Gaborel
Nov 21 at 15:09
Adding the
--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message: [js] Error: network error while attempting to run command 'isMaster' on host
and SSL peer certificate validation failed: self signed certificate
in the log.– Nicolas Gaborel
Nov 27 at 15:24
Adding the
--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message: [js] Error: network error while attempting to run command 'isMaster' on host
and SSL peer certificate validation failed: self signed certificate
in the log.– Nicolas Gaborel
Nov 27 at 15:24
1
1
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but with
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I get exception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following error WARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but with
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I get exception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following error WARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57
|
show 3 more comments
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
I managed to get it to work again by following these steps (which, for some reason, did not work before):
- remove mongodb.* files from
/etc/ssl/
- regenerate certificates with the commands:
- openssl genrsa -out mongodb.key 2048
- openssl req -new -key mongodb.key -out mongodb.csr
- Server address in the field
Common Name (eg, YOUR name)
- openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey /PATH/TO/rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- cat mongodb.key mongodb.crt > mongodb.pem
- chmod 666 mongodb.pem
- service mongod restart
- cat /var/log/mongodb/mongod.log (to check status)
And to launch the mongo shell
- mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:PORT
Thank you @AniketMaithani for trying to help me solve this issue.
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
I managed to get it to work again by following these steps (which, for some reason, did not work before):
- remove mongodb.* files from
/etc/ssl/
- regenerate certificates with the commands:
- openssl genrsa -out mongodb.key 2048
- openssl req -new -key mongodb.key -out mongodb.csr
- Server address in the field
Common Name (eg, YOUR name)
- openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey /PATH/TO/rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- cat mongodb.key mongodb.crt > mongodb.pem
- chmod 666 mongodb.pem
- service mongod restart
- cat /var/log/mongodb/mongod.log (to check status)
And to launch the mongo shell
- mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:PORT
Thank you @AniketMaithani for trying to help me solve this issue.
add a comment |
up vote
0
down vote
accepted
I managed to get it to work again by following these steps (which, for some reason, did not work before):
- remove mongodb.* files from
/etc/ssl/
- regenerate certificates with the commands:
- openssl genrsa -out mongodb.key 2048
- openssl req -new -key mongodb.key -out mongodb.csr
- Server address in the field
Common Name (eg, YOUR name)
- openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey /PATH/TO/rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- cat mongodb.key mongodb.crt > mongodb.pem
- chmod 666 mongodb.pem
- service mongod restart
- cat /var/log/mongodb/mongod.log (to check status)
And to launch the mongo shell
- mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:PORT
Thank you @AniketMaithani for trying to help me solve this issue.
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
I managed to get it to work again by following these steps (which, for some reason, did not work before):
- remove mongodb.* files from
/etc/ssl/
- regenerate certificates with the commands:
- openssl genrsa -out mongodb.key 2048
- openssl req -new -key mongodb.key -out mongodb.csr
- Server address in the field
Common Name (eg, YOUR name)
- openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey /PATH/TO/rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- cat mongodb.key mongodb.crt > mongodb.pem
- chmod 666 mongodb.pem
- service mongod restart
- cat /var/log/mongodb/mongod.log (to check status)
And to launch the mongo shell
- mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:PORT
Thank you @AniketMaithani for trying to help me solve this issue.
I managed to get it to work again by following these steps (which, for some reason, did not work before):
- remove mongodb.* files from
/etc/ssl/
- regenerate certificates with the commands:
- openssl genrsa -out mongodb.key 2048
- openssl req -new -key mongodb.key -out mongodb.csr
- Server address in the field
Common Name (eg, YOUR name)
- openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey /PATH/TO/rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- cat mongodb.key mongodb.crt > mongodb.pem
- chmod 666 mongodb.pem
- service mongod restart
- cat /var/log/mongodb/mongod.log (to check status)
And to launch the mongo shell
- mongo --ssl --sslCAFile /PATH/TO/rootCA.pem --sslPEMKeyFile /PATH/TO/mongodb.pem --host IP:PORT
Thank you @AniketMaithani for trying to help me solve this issue.
answered Nov 28 at 10:16
Nicolas Gaborel
287
287
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413017%2fmongodb-connection-attempt-failed-sslhandshakefailed-ssl-peer-certificate-vali%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you using the correct sslCAFile? Shouldn't it be
/PATH/TO/abc.crt
?– Aniket Maithani
Nov 21 at 14:16
@AniketMaithani I tried using the .crt as per your suggestion, I get
Error: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log. The connection string in my question is the same I used before and it used to work.– Nicolas Gaborel
Nov 21 at 15:09
Adding the
--sslAllowInvalidCertificates
option in the mongo connection string yields the following error message:[js] Error: network error while attempting to run command 'isMaster' on host
andSSL peer certificate validation failed: self signed certificate
in the log.– Nicolas Gaborel
Nov 27 at 15:24
1
Hey @Nicolas can you post your /etc/mongod.conf file here ? Meanwhile try using the following : dpaste.de/U4Lm
– Aniket Maithani
Nov 28 at 2:06
Hi @AniketMaithani I edited my question to add the .conf file. I tried your solution (and commented out the rootCA.pem line in the .conf file) but with
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
I getexception in initAndListen: NonExistentPath: Data directory /data/db not found., terminating
and when restarting the service, in the log I have the following errorWARNING: No SSL certificate validation can be performed since no CA file has been provided
– Nicolas Gaborel
Nov 28 at 8:57