Windows version : 10
Mongodb version : 6.0.2
Tools : mongosh
Hello, I am trying to set up mongodb with TLS and accessing the mongodb instance through mongosh using client certificate.
I followed the steps mentionned here : https://www.mongodb.com/docs/manual/core/security-transport-encryption/ to configure the mongod with TLS.
The configuration is successful and I can successfully start mongodb using below command :
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
my mongod.cfg has the below settings for network:
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
My issue is when trying to connect through mongosh, I am getting below error:
Connecting to: mongodb://localhost:27017/?directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsCertificateKeyFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-client.pem&tlsCAFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-ca.pem&appName=mongosh+1.6.0
MongoServerSelectionError: read ECONNRESET
I used steps on
https://www.mongodb.com/docs/manual/appendix/security/appendixC-openssl-client/#std-label-appendix-client-certificate to generate client certificate above.
Server certificate was generated following these steps :
https://www.mongodb.com/docs/manual/appendix/security/appendixB-openssl-server/#std-label-appendix-server-certificate
The message
MongoServerSelectionError: read ECONNRESET
is not giving any value in understanding the error. I understand its an openssl error but why am getting this error is unclear.
Any help will be appreciated.
I had the following error in log.
{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL}
I started mongodb again with new tls config and now its ok. Thanks –
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
mongosh --tls --host localhost --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-client.pem --tlsCAFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-ca.pem
We can also store the tls options in the config file
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
Related
I am trying to test a mongoDB installation with self signed certificates. I followed the instructions in the mongoDB documentation for creating the 'pem' files using the copy links on each page:
Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing
I updated the /etc/mongod.conf as such:
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
allowConnectionsWithoutCertificates: true
allowInvalidHostnames: true
allowInvalidCertificates: true
CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt
Originally I did not have the 'allow' option, but they do not make a difference so I am leaving the in for now.
Running the mongodb shell results in this error:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-04-17T17:07:25.812+0000 F - [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E - [main] exiting with code 1
root#ip-10-0-3-61:~/mongo-cert#
If I add the '--tlsAllowInvalidCertificates' in the command it works:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>
I have read other people who have followed the mongodb instructions successfully.
I just do not understand what I have done wrong.
You need to provide the CA file to mongo also (the --tlsCAFile option), in addition to the client certificate.
When full verification is enabled with TLS both server and client validate the other's certificate. This means both must have access to the CA cert used for signing the leaf certs.
I'm trying to connect to a MongoDB server from a client application. I have TLS enabled, and I'm using a Self Signed Certificate. The below are the details:
OS: Windows Server 2016
MongoDB Version: 4.2.5
mongod.cfg (config file):
net:
tls:
mode: requireTLS
certificateSelector: subject=server1.com
allowInvalidCertificates: true
disabledProtocols: none
systemLog:
destination: file
path: F:\MongoDB\log\mongod.log
logAppend: true
storage:
dbPath: F:\MongoDB\data
net:
bindIp: localhost,server1.com
port: 27017
I have created a RootCA, and created server1.pfx (CN=server1.com). Then exported rootca.cer (with no key) and server1.cer (with no key) and installed them on the server where the client app is running to the Trusted Root Authority (rootca.cer) and Personal (server1.cer).
I'm using the below connection string:
mongodb://user:*******************#server1.com:27017/CustomerDB?authSource=CustomerDB&tls=true&tlsAllowInvalidCertificates=true
Error I get:
Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections
I have added tls=true, and have enabled TLS 1.1 and 1.2 on the server in which the client app is running. I'm able to connect to the MongoDB from a different app, running in a different server with the same connection string.
Your client is not using TLS.
Note that tls=true is a relatively recently added option. Be sure you are using a current version of the MongoDB driver.
I have installed Mongo on my OSX
$ brew info mongodb
mongodb: stable 4.0.2 (bottled)
...
I'm starting MongoDB service by this command:
$ brew services start mongodb
I can observe the status of mongodb:
$ brew services list
Name Status User Plist
mongodb started megas /Users/megas/Library/LaunchAgents/homebrew.mxcl.mongodb.plist
...
But when I'm running mongo client it give me an error:
$ mongo
MongoDB shell version v4.0.2
connecting to: mongodb://127.0.0.1:27017
2018-09-19T15:18:22.490+0300 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Error connecting to 127.0.0.1:27017 :: caused by :: Connection refused :
connect#src/mongo/shell/mongo.js:257:13
#(connect):1:6
exception: connect failed
When I manually start mongod then it works as it should be.
What I'm missing here?
Update:
If I run it manually it throughs message and stops
$ mongod --config /usr/local/etc/mongod.conf
2018-09-19T21:47:51.531+0300 I CONTROL [main] Automatically disabling
TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
$ cat /usr/local/etc/mongod.conf
# Store data in /usr/local/var/mongodb instead of the default /data/db
dbpath = /usr/local/var/mongodb
# Append logs to /usr/local/var/log/mongodb/mongo.log
logpath = /usr/local/var/log/mongodb/mongo.log
logappend = true
# Only accept local connections
bind_ip = 127.0.0.1
A little background...my certificate is a LetsEncrypt.org SSL certificate issued with Certbot. I'm running Nginx 1.12.2, and I'm able to properly access my website using https:// so I believe that portion is configured properly. My web server is running Ubuntu 16.04 and MongoDB 3.6.3.
I have tried many configurations and while I can connect to my MongoDB just fine using Compass (the official MongoDB GUI) without the SSL option, attempts to connect with SSL result in a Could not connect to MongoDB on the provided host and port error message. Running mongo -ssl --sslPEMKeyFile /etc/ssl/mongo.pem on my server results in the following error:
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2018-06-12T16:51:10.756+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get local issuer certificate
2018-06-12T16:51:10.757+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:251:13
#(connect):1:6
exception: connect failed
My /var/log/mongodb/mongod.log shows the following which corresponds to the error above:
2018-06-12T16:51:10.755+0000 I NETWORK [listener] connection accepted from 127.0.0.1:47792 #8 (2 connections now open)
2018-06-12T16:51:10.757+0000 I NETWORK [conn8] end connection 127.0.0.1:47792 (1 connection now open)
My /etc/mongod.conf contains the following (I've commented out the CAFile parameter as I've read this is optional for now [source: https://stackoverflow.com/a/33926129/2969615 ]; note that I get mongo.pem: OK when running the openssl verify -CAfile /etc/ca.pem /etc/mongo.pem command, so I believe mongo.pem is properly set up):
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: allowSSL
PEMKeyFile: /etc/ssl/mongo.pem
# CAFile: /etc/ssl/ca.pem
I've created my mongo.pem file by referring to the following: https://serverfault.com/a/878457 ...I have tried the certificate in the instructions as well as both X3 intermediate certificates available at https://letsencrypt.org/certificates/ to no avail.
Any help would be greatly appreciated.
Very late to the party, but just in case it does help someone. I am running mongodb inside docker with the official image from mongo and compass from another docker image.
For the server I use:
docker run -it --name data.domain.com --network docker_network -v /path/to/ssl:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem
fullchain-key.pem is 'cat fullchain.pem privkey.pem > fullchain-key.pem'
docker name or server name must match certificate name
For Compass I use:
The server has it's own certificate and compass as well.
I have an install of ubuntu 14.04 x64 The only thing I have done to it is fresh update and install mongodb and pritunl. Here is how I installed both
$ nano /etc/apt/sources.list.d/mongodb-org-3.0.list
deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse
$ nano /etc/apt/sources.list.d/pritunl.list
deb http://repo.pritunl.com/stable/apt trusty main
$ apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7F0CEB10
$ apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv CF8E292A
$ apt-get update
$ apt-get install pritunl mongodb-org
$ service pritunl start
Now I would like to enable auth on mongodb 3.0.9 for this I have used guide here
https://medium.com/#matteocontrini/how-to-setup-auth-in-mongodb-3-0-properly-86b60aeef7e8#.a1nfxsy3a
After I create the first user and I
security:
authorization: enabled
I run into problems I cant make any connection from the locahost here is the error I receive
~# mongo pritunl --port 27017 -u admin -p passwordhere --authe nticationDatabase admin
MongoDB shell version: 3.0.9
connecting to: 127.0.0.1:27017/pritunl
2016-02-08T00:18:54.096-0500 W NETWORK Failed to connect to 127.0.0.1:27017, re ason: errno:111 Connection refused
2016-02-08T00:18:54.098-0500 E QUERY Error: couldn't connect to server 127.0. 0.1:27017 (127.0.0.1), connection attempt failed
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed
Or attempting to connect to admin
~# mongo admin — port 27017 -u admin -p password — authenticationDatabase admin
MongoDB shell version: 3.0.9
connecting to: 127.0.0.1:27017/admin
2016–02–07T09:54:09.436–0500 W NETWORK Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused
2016–02–07T09:54:09.438–0500 E QUERY Error: couldn’t connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed
Or any other way I try and make a connection. I feel like I am missing something simple. I thought maybe I was screwing up the user creation so I have used tried using http://3t.io/mongochef/ gui to take my potential typing errors out of the user creation.
I have been fighting this for a few days and wearing google out but not getting traction. At this point I am will to pay for some help in figuring out what Im messing up but I would like to know how to fix it so I have the knowledge of how to implement basic security. I can pay with bitcoin
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
#processManagement:
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp: