i am getting issue while getting mongodump . i have mongodb 4.4 having ssl/Tls enabled for server side as well as for client.
but while taking dump getting the following Error:
2021-03-11T15:57:55.639+0530 Failed: can't create session: error configuring the connector: error configuring client, can't load client certificate: tls: private key type does not match public key type
although i am able to login with mongo shell.
mongo -u ms -p --authenticationDatabase "admin" --tls --tlsCAFile /etc/mongodb/ssl/ca-mongo.crt --tlsCertificateKeyFile /etc/mongodb/ssl/host1.pem --host host1
Add --tlsAllowInvalidHostnames to the command. It disables the validation of the hostnames
Full command
mongo -u ms -p --authenticationDatabase "admin" --tlsAllowInvalidHostnames --tls --tlsCAFile /etc/mongodb/ssl/ca-mongo.crt --tlsCertificateKeyFile /etc/mongodb/ssl/host1.pem --host host1
https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-tlsallowinvalidhostnames
If you are using version 4.2 or below then you have to use --sslAllowInvalidHostnames. https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-tlsallowinvalidhostnames
Related
i tried to create a dump of a mongodb database on remote server which is running centos,nginx,mongodb v4.0.18 using the following command..
mongodump --host localhost:27017 --authenticationDatabase admin --username <uname> --password <password> --db <db> --out <path to dump>
but im getting the following error
Failed: error connecting to db server: server returned error on SASL authentication step: Authentication failed.
I just replaced --host localhost:27017 for --port 27017. My db is in localhost too. I omitted --db <db> --out <path to dump> too. I point to my db with the --authenticationDatabase flag.
I hope this helps.
I am trying to connect to a mongodb service hosted on IBM Cloud following this instructions.
When I run the following command
mongo -u $USERNAME -p $PASSWORD --ssl --sslCAFile c5f07836-d94c-11e8-a2e9-62ec2ed68f84 --authenticationDatabase admin --host replset/bdb98a3ac10-0.b8a5e798d2d04f2e860d042c915.databases.appdomain.cloud:30484,bd576-96db98a3ac10-1.b8a5e4e5d042c915.databases.appdomain.cloud:30484
I get this error on macOs, while on Windows 10 the connection is correctly estiblished:
SSL peer certificate validation failed: Certificate trust failure:
Invalid Extended Key Usage for policy; connection rejected
If I connect via MongoDB Compass instead of using the terminal the connection works
I had to add --sslAllowInvalidCertificates flag
https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
In order for me to connect to this [secure] Mongo instance I have to run the following command:
mongo --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509
I am trying to do a mongodump command to get the data but I keep running into the following errors:
Attempt 1
mongodump -d mydb
Failed: error connecting to db server: no reachable servers
Attempt 2
Can't create backup mongodump with --db. Authentication failed
mongodump -d mydb --authenticationDatabse '$external'
Failed: error connecting to db server: no reachable servers
Attempt 3 Using the same command as how I connect.
mongodump -d mydb --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509
Failed: error getting collections for database 'mydb': error running 'listCollections'. Database: 'mydb' Err: not authorized on 'mydb' to execute command {listCollections: 1, cursor: {} }
I have tried the same command with sudo but it still returns the same error.
Attempt 4 Minimum permission for using mongodump (to dump a specific db)
mongodump -d mydb --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509 --excludeCollection=system.indexes
Failed: error getting collections for database 'mydb': error running 'listCollections'. Database: 'mydb' Err: not authorized on 'mydb' to execute command {listCollections: 1, cursor: {} }
I am stuck and I am eventually going to run mongorestore but I do not want to run this without making sure I am able to backup first. I imagine the solution for mongodump will resolve any possible issues I may have with mongorestore (if any).
I found the solution thanks to this blog post , looks you have to set the -u value with the CN when using 509 and $external.
mongodump --ssl --sslPEMKeyFile user.pem --sslCAFile cap.pem --sslAllowInvalidHostnames --authenticationMechanism=MONGODB-X509 --authenticationDatabase '$external' --host "rsTmpCloudManager/10.100.15.118:27017,10.100.16.237:27017,10.100.17.107:27017" -d testJoce -u "CN=???,OU=???,O=???,L=???,ST=???,C=??"
Getting mongodump and mongorestore work with security quite troublesome.
I have mongod v3.4.1 with requireSSL running at 192.168.99.100. It is IP address of VirtualBox docker machine running on my Windows. It is just for testing of-cause.
The instance already configured to use TLS/SSL both server and client signed with the same CA. I use the IP address for mongod Common Name to allow hostname validation. The authentication already enabled to accept my client certificate.
So everything is working. I can connect to it like this:
mongo --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem
but now I can't get both mongodump and mongorestore working:
mongodump --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem -d olddb
mongorestore --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem -d newdb --dir=dump/olddb
Both return this error:
2017-01-13T04:28:03.881+0800 Failed: error connecting to db server: no reachable servers, openssl error: Host validation error
I have been trying to turn off client certificate, use username/password but still did not work. I need to remove the SSL in order to make it work.
That means I can only use preferSSL in production.
There is no way to bypass SSL in localhost if I stick with requireSSL.
Anyone getting the same error? Is it a known issue?
Add this option to the command-line:
--sslAllowInvalidHostnames
Full connection sample:
mongo --host 192.168.99.100 --username luke
--password skywalker --authenticationDatabase admin --ssl --sslCAFile rootCA.pem --sslPEMKeyFile me.pem --sslAllowInvalidHostnames
First check your logs at path /var/log/mongodb/mongod.log
Also there is default path of SSL Certificates. And for unix based systems given an SSL certificate located at /etc/ssl/mongodb.pem
As per my understanding for this problem, i would say certificate path needs to be checked. SSL certificate is not located in your windows environment. Try adding full path of certificate.
Also look into this https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
Happy coding
I have a mongodb server v 3.2 configured to use ssl for client connections, with a custom-generated certificate.
I can connect to the server using mongo.exe with the following format:
C:\mongodb\bin>mongo.exe myhost:27017/mydb --sslPEMKeyFile
C:\etc\ssl\mongodb.pem --ssl --username myuser --password mypassword
--sslAllowInvalidCertificates
Is it possible to write an equal mongodb connection string (mongodb://....)?
According to the documentation, there is the only ssl parameter, that seems to be not enough.
Could you try to connect to mongo.exe with the parameter like below:
"mongodb://myuser:mypassword#myhost:27017/mydb?ssl=true&sslAllowInvalidCertificates=true&sslPEMKeyFile=C:/etc/ssl/mongodb.pem"
This works:
mongo --host server --ssl --sslCAFile C:\Path\mongodb-server.pem
--sslPEMKeyFile C:\Path\mongodb-client.pem --sslPEMKeyPassword
password -u user -p --authenticationDatabase admin