I have created a docker container with a mongodb image. I created a self-signed certificate for the secure connections to the database following this guide.
I started trying to make a connection with these certificates where rootCA.pem is the self-signed certificate of the computer that will become the certifier, in this case the same. And mongodb.pem is the .key of the server + the .crt.
root#8bc7b8cd6a0d:/# mongo --tls --tlsCAFile /data/db/certs/rootCA.pem --tlsCertificateKeyFile /data/db/certs/mongodb.pem --host 172.17.0.2:27017
MongoDB shell version v4.2.6
connecting to: mongodb://172.17.0.2:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-29T09:21:21.255+0000 E QUERY [js] Error: couldn't connect to server 172.17.0.2:27017, connection attempt failed: SocketException: stream truncated :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-04-29T09:21:21.259+0000 F - [main] exception: connect failed
2020-04-29T09:21:21.259+0000 E - [main] exiting with code 1
root#8bc7b8cd6a0d:/#
root#8bc7b8cd6a0d:/# mongo --tls --tlsCAFile /data/db/certs/rootCA.pem --tlsCertificateKeyFile /data/db/certs/mongodb.pem
MongoDB shell version v4.2.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-05-05T19:39:52.308+0000 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: stream truncated :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-05-05T19:39:52.358+0000 F - [main] exception: connect failed
2020-05-05T19:39:52.359+0000 E - [main] exiting with code 1
root#8bc7b8cd6a0d:/#
The certificates are stored in the following directory, which is in a volume to the container to store the data from the database.
root#auzal-virtual-machine:/opt/mimongo# ls certs
mongodb.crt mongodb.csr mongodb.key mongodb.pem rootCA.key rootCA.pem rootCA.srl
Finally the configuration file is structured in the following way, this file is a copy of the original, I say this in case you see that the name is different from normal:
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: /data/db/certs/mongodb.pem
CAFile: /data/db/certs/rootCA.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
I don't know why I get that error, could it be that I am interpreting something wrong with the certificates and not indicating the correct one? What is the error I receive?
reviewing the logs with a statement within the database I get the following error, however this ability in the main configuration file:
Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support.
The authentication you see is from an administrator user but without a certificate
"2020-05-06T21:46:58.796+0000 I NETWORK [conn3] end connection 127.0.0.1:56360 (0 connections now open)",
"2020-05-06T21:47:02.052+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56362 #4 (1 connection now open)",
"2020-05-06T21:47:02.053+0000 I NETWORK [conn4] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56362 (connection id: 4)",
"2020-05-06T21:47:02.053+0000 I NETWORK [conn4] end connection 127.0.0.1:56362 (0 connections now open)",
"2020-05-06T21:47:08.628+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56364 #5 (1 connection now open)",
"2020-05-06T21:47:08.629+0000 I NETWORK [conn5] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56364 (connection id: 5)",
"2020-05-06T21:47:08.629+0000 I NETWORK [conn5] end connection 127.0.0.1:56364 (0 connections now open)",
"2020-05-06T21:47:11.815+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56366 #6 (1 connection now open)",
"2020-05-06T21:47:11.816+0000 I NETWORK [conn6] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56366 (connection id: 6)",
"2020-05-06T21:47:11.817+0000 I NETWORK [conn6] end connection 127.0.0.1:56366 (0 connections now open)",
"2020-05-06T21:47:21.515+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56368 #7 (1 connection now open)",
"2020-05-06T21:47:21.515+0000 I NETWORK [conn7] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56368 (connection id: 7)",
"2020-05-06T21:47:21.516+0000 I NETWORK [conn7] end connection 127.0.0.1:56368 (0 connections now open)",
"2020-05-06T21:50:17.250+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56374 #8 (1 connection now open)",
"2020-05-06T21:50:17.251+0000 I NETWORK [conn8] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56374 (connection id: 8)",
"2020-05-06T21:50:17.251+0000 I NETWORK [conn8] end connection 127.0.0.1:56374 (0 connections now open)",
"2020-05-06T21:51:48.008+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56396 #9 (1 connection now open)",
"2020-05-06T21:51:48.009+0000 I NETWORK [conn9] received client metadata from 127.0.0.1:56396 conn9: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:51:54.405+0000 I NETWORK [conn9] end connection 127.0.0.1:56396 (0 connections now open)",
"2020-05-06T21:52:03.681+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56402 #10 (1 connection now open)",
"2020-05-06T21:52:03.682+0000 I NETWORK [conn10] received client metadata from 127.0.0.1:56402 conn10: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:52:03.682+0000 I SHARDING [conn10] Marking collection admin.system.users as collection version: <unsharded>",
"2020-05-06T21:52:03.776+0000 I ACCESS [conn10] SASL SCRAM-SHA-256 authentication failed for admin on admin from client 127.0.0.1:56402 ; AuthenticationFailed: SCRAM authentication failed, storedKey mismatch",
"2020-05-06T21:52:03.786+0000 I NETWORK [conn10] end connection 127.0.0.1:56402 (0 connections now open)",
"2020-05-06T21:52:16.138+0000 I NETWORK [listener] connection accepted from 127.0.0.1:56404 #11 (1 connection now open)",
"2020-05-06T21:52:16.139+0000 I NETWORK [conn11] received client metadata from 127.0.0.1:56404 conn11: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:52:16.215+0000 I ACCESS [conn11] Successfully authenticated as principal admin on admin from client 127.0.0.1:56404"
],
"ok" : 1
}
> db.adminCommand( { getLog: "global" } )
I followed this guide when creating my certificate. I initially used the certificate created from here but it didn't work. Using the server certificate did the trick.
I am trying to test a mongoDB installation with self signed certificates. I followed the instructions in the mongoDB documentation for creating the 'pem' files using the copy links on each page:
Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing
I updated the /etc/mongod.conf as such:
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
allowConnectionsWithoutCertificates: true
allowInvalidHostnames: true
allowInvalidCertificates: true
CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt
Originally I did not have the 'allow' option, but they do not make a difference so I am leaving the in for now.
Running the mongodb shell results in this error:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-04-17T17:07:25.812+0000 F - [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E - [main] exiting with code 1
root#ip-10-0-3-61:~/mongo-cert#
If I add the '--tlsAllowInvalidCertificates' in the command it works:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>
I have read other people who have followed the mongodb instructions successfully.
I just do not understand what I have done wrong.
You need to provide the CA file to mongo also (the --tlsCAFile option), in addition to the client certificate.
When full verification is enabled with TLS both server and client validate the other's certificate. This means both must have access to the CA cert used for signing the leaf certs.
I'm trying to connect to a MongoDB server from a client application. I have TLS enabled, and I'm using a Self Signed Certificate. The below are the details:
OS: Windows Server 2016
MongoDB Version: 4.2.5
mongod.cfg (config file):
net:
tls:
mode: requireTLS
certificateSelector: subject=server1.com
allowInvalidCertificates: true
disabledProtocols: none
systemLog:
destination: file
path: F:\MongoDB\log\mongod.log
logAppend: true
storage:
dbPath: F:\MongoDB\data
net:
bindIp: localhost,server1.com
port: 27017
I have created a RootCA, and created server1.pfx (CN=server1.com). Then exported rootca.cer (with no key) and server1.cer (with no key) and installed them on the server where the client app is running to the Trusted Root Authority (rootca.cer) and Personal (server1.cer).
I'm using the below connection string:
mongodb://user:*******************#server1.com:27017/CustomerDB?authSource=CustomerDB&tls=true&tlsAllowInvalidCertificates=true
Error I get:
Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections
I have added tls=true, and have enabled TLS 1.1 and 1.2 on the server in which the client app is running. I'm able to connect to the MongoDB from a different app, running in a different server with the same connection string.
Your client is not using TLS.
Note that tls=true is a relatively recently added option. Be sure you are using a current version of the MongoDB driver.
Our Mongo Cluster is ssl secured using a self signed certificate. Below URL works fine while connecting to mongo shell.
mongo --host testserver --port 27017 --authenticationMechanism PLAIN --authenticationDatabase='$external' --username test --password tester123 --ssl --sslCAFile /opt/mongo/certs/test-ca.pem
While converting this to mongodb:// type connection string, we have tried numerous options like below but getting errors:
mongo "mongodb://test:tester123#testserver:27017/?authSource="'$external'"&authMechanism=PLAIN&ssl=true&sslCAFile='/opt/mongo/certs/test-ca.pem'"
Error:
connecting to: mongodb://testserver:27017/?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb&ssl=true&sslCAFile=%27%2Fopt%2Fmongo%2Fcerts%2Ftest-ca.pem%27
2020-02-26T06:01:55.936+0000 E NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-02-26T06:01:55.937+0000 E QUERY [js] Error: couldn't connect to server testserver:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:344:17
#(connect):3:6
exception: connect failed
Tried many options like sslValidate=true, sslPEMKeyFile='/opt/mongo/test-ca.pem', but all are giving same error.
A little background...my certificate is a LetsEncrypt.org SSL certificate issued with Certbot. I'm running Nginx 1.12.2, and I'm able to properly access my website using https:// so I believe that portion is configured properly. My web server is running Ubuntu 16.04 and MongoDB 3.6.3.
I have tried many configurations and while I can connect to my MongoDB just fine using Compass (the official MongoDB GUI) without the SSL option, attempts to connect with SSL result in a Could not connect to MongoDB on the provided host and port error message. Running mongo -ssl --sslPEMKeyFile /etc/ssl/mongo.pem on my server results in the following error:
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2018-06-12T16:51:10.756+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get local issuer certificate
2018-06-12T16:51:10.757+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:251:13
#(connect):1:6
exception: connect failed
My /var/log/mongodb/mongod.log shows the following which corresponds to the error above:
2018-06-12T16:51:10.755+0000 I NETWORK [listener] connection accepted from 127.0.0.1:47792 #8 (2 connections now open)
2018-06-12T16:51:10.757+0000 I NETWORK [conn8] end connection 127.0.0.1:47792 (1 connection now open)
My /etc/mongod.conf contains the following (I've commented out the CAFile parameter as I've read this is optional for now [source: https://stackoverflow.com/a/33926129/2969615 ]; note that I get mongo.pem: OK when running the openssl verify -CAfile /etc/ca.pem /etc/mongo.pem command, so I believe mongo.pem is properly set up):
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: allowSSL
PEMKeyFile: /etc/ssl/mongo.pem
# CAFile: /etc/ssl/ca.pem
I've created my mongo.pem file by referring to the following: https://serverfault.com/a/878457 ...I have tried the certificate in the instructions as well as both X3 intermediate certificates available at https://letsencrypt.org/certificates/ to no avail.
Any help would be greatly appreciated.
Very late to the party, but just in case it does help someone. I am running mongodb inside docker with the official image from mongo and compass from another docker image.
For the server I use:
docker run -it --name data.domain.com --network docker_network -v /path/to/ssl:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem
fullchain-key.pem is 'cat fullchain.pem privkey.pem > fullchain-key.pem'
docker name or server name must match certificate name
For Compass I use:
The server has it's own certificate and compass as well.