I am trying to configure ssl/tls with mongod on ubuntu 20.04 LTS. mongod version is 5.0.5.
For generating ssl/tls, I am using ssl/ssl certificates from let's encrypt. I used this command for generating ssl/tls certificate.
sudo certbot certonly --standalone --preferred-challenges http -d example.domain.com
To configure it with mongod, I did the following steps
Copied fullchain.pem and privkey.pem file into a folder.
Use this command to generate mongodb.pem file for mongod.
cat privkey.pem fullchain.pem > mongodb.pem
For ca.pem ,I went to this URL, https://letsencrypt.org/certificates/ and downloaded Intermediate Certificates -> Active -> Let’s Encrypt R3 -> Signed by ISRG Root X1 (pem) file. Saved this file with name ca.pem in the same directory of fullchain.pem/privkey.pem files.
Verified certificate using this command. It returned mongodb.pem: OK
openssl verify -CAfile ca.crt mongodb.pem
Then I configure ssl/tls configuration with mongod, Added the following lines in /etc/mongod.conf
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /path/to/mongodb.pem
CAFile: /path/to/ca.pem
allowConnectionsWithoutCertificates: false
Restarted mongod service and It is running with active (running) status.
I am trying to connect to mongodb using the following command.
mongo --tls --tlsCAFile ca.pem --tlsCertificateKeyFile mongodb.pem --host mongodb.example-domain.com
But I am getting this error when I try to connect to mongodb using above command,
SSL peer certificate validation failed: unable to get issuer certificate
I don't know what I am doing wrong in the whole process. If anybody can help me in this ssl/tls certificate issue. Thanks
I am trying to configure the SSL certificates in MongoDB. For that, I took sample domain-name like myapptest.tk using freenom(online) and generated certificates for that domain-name using sslforfree(online). Assigned that domain-name to my MongoDB server IP in /etc/hosts file. After that Downloaded those certificates and configured them in /etc/mongod.conf file.
Here are my SSL configurations which I have used in mongod.conf
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6
addresses or, alternatively, use the net.bindIpAll setting.
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca_bundle.crt
allowConnectionsWithoutCertificates: false
allowInvalidHostnames: false
disabledProtocols: TLS1_0,TLS1_1
Here I am converting certificate.crt and private.key into mongodb.pem and passing as the value of PEMKeyFile and passing ca_bundle.crt as the value of CAFile. Finally restarted the mongod service using the command
sudo service mongod restart
mongodb server running successfully. Now I am trying to connect with mongodb server through the command
mongo --ssl --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca_bundle.crt --host myapptest.tk
I am unable to connect to the server. Getting the error like
MongoDB shell version v4.0.8
connecting to: mongodb://myapptest.tk:27017/?gssapiServiceName=mongodb
2019-04-04T19:57:40.401+0000 E NETWORK [js] SSL peer certificate validation failed: unable to get local issuer certificate
2019-04-04T19:57:40.402+0000 E QUERY [js] Error: couldn't connect to server myapptest.tk:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:343:13
#(connect):2:6
exception: connect failed
If I am using the mongo command with the option --sslAllowInvalidCertificates like
mongo --ssl --sslAllowInvalidCertificates
I can able to connect with the mongodb server, otherwise, I was unable to connect with the server.
What's the wrong with configuring the SSL certificates in mongod.conf file?
what I want is, Can we able to connect with the MongoDB server with --sslCAFile?
How to generate the --sslPEMKeyfile and --sslCAFile in *.pem formats in mongodb?
Below was the link which I have followed:
https://docs.mongodb.com/manual/tutorial/configure-ssl/
Could anybody suggest me to achieve this?
I created a SSL certificate valid for the domain myapp.mydomain.com using dehydrated https://github.com/lukas2511/dehydrated which uses the ACME protocol.
I have set this up on my mongodb server on my cloud. When I try to access the mongo server like this mongo myapp.mydomain.com:27018 --ssl from my local machine (where the certificate was generated), it works fine.
However, when I try the same command from mongo:4 docker container, I get this error
root#ab9690f43a22:/# mongo myapp.mydomain.com:27018 -ssl
MongoDB shell version v4.0.6
connecting to: mongodb://myapp.mydomain.com:27018/test?gssapiServiceName=mongodb
2019-02-13T04:28:28.957+0000 E NETWORK [js] SSL peer certificate validation failed: unable to get local issuer certificate
2019-02-13T04:28:28.958+0000 E QUERY [js] Error: couldn't connect to server myapp.mydomain.com:27018, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:343:13
#(connect):1:6
exception: connect failed
I am not able to understand why it works on my local machine and does not work in the container. Probably, CA is not trusted?
also, I don't have the ca.pem file. I have attached the list of files that were generated.
In the course of migrating off Parse's servers before it shuts down, I'm trying to set up a simple MongoDB instance on Digital Ocean. (I'm using that instead of mLab because my needs are very limited—-a few MB of storage, a few hundred requests per week--and for that mLab's costs are pretty high.)
I've got mongod running, and have made some progress with SSL thanks to this guide using Let's Encrypt, but now I'm stuck. Parse's migration tool says, "No reachable servers," and if I try to connect on the command line like this:
mongo --ssl -u editAdmin -p "<password-here>" --host mydb.myhost.com dbname
I get this error:
MongoDB shell version: 3.2.7
connecting to: mydb.myhost.com:27017/dbname
2016-07-24T10:31:38.814-0700 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mydb.myhost.com:27017' :
connect#src/mongo/shell/mongo.js:231:14
#(connect):1:6
exception: connect failed
The server log reports:
2016-07-24T13:32:44.357-0400 I NETWORK [initandlisten] connection accepted from 12.345.67.89:33351 #39 (1 connection now open)
2016-07-24T13:32:44.390-0400 E NETWORK [conn39] no SSL certificate provided by peer; connection rejected
2016-07-24T13:32:44.390-0400 I NETWORK [conn39] end connection 12.345.67.89:33351 (0 connections now open)
So that would suggest the client needs to provide a cert, but (a) I don't know how to provide one, and (b) Parse doesn't provide that as an option so there must be some way not to.
Thanks in advance for your help.
The key error message is this one:
no SSL certificate provided by peer; connection rejected
When you enable TLS/SSL on MongoDB, MongoDB clients can now authenticate that the MongoDB server is who it claims to be by comparing the MongoDB's TLS/SSL certificate (specified by the PEMKeyFile property in the mongod.conf file) against the public Certificate Authority certificate that you provide to the MongoDB client to indicate which Certificate Authority you trust.
But what I just described is sometimes called one-way TLS, whereas, by default, MongoDB enables two-way or mutual TLS authentication. The idea behind this is that maybe the MongoDB doesn't want to accept client requests from just anyone (the way a public website might), but wants to authenticate the clients as well.
In TLS Mutual Auth, the same Certificate Authority I mentioned above will issue client certificates and the MongoDB server will check the client's certificate to make sure it really was issued by the Certificate Authority in question and that it's valid (e.g. hasn't expired).
So this error is saying "Hey, I expect my clients to present a TLS certificate, but you're not presenting anything."
The way to fix it is described at Configure mongod and mongos for TLS/SSL:
If you want to bypass validation for clients that don’t present
certificates, include the allowConnectionsWithoutCertificates run-time
option with mongod and mongos. If the client does not present a
certificate, no validation occurs. These connections, though not
validated, are still encrypted using SSL.
Of course, you can specify this in the mongod.conf file as well: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
My preferred solution looks like this:
net:
port: 27017
bindIp: 172.0.0.1 # Set this to whatever your private IP address is
ssl:
mode: "requireSSL"
PEMKeyFile: "/path/to/tls/private/key"
CAFile: "/path/to/ca/public/cert"
disabledProtocols: "TLS1_0,TLS1_1"
allowConnectionsWithoutCertificates: true # <-- The line to add to your config
You're command is using the SSL option (and I assume Parse is doing the same) so you are trying to connect using SSL. A client must provide a cert when using SSL. https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/ this link explains how to do this and also specifically mentions your issue
Just follow this tutorial, everything is there, I know that for sure cause I was following that and now I got running parse-server without any previous knowledge... I would recommend you using the MongoDB connection without SSL certificate and allow only localhost queries to it - so only the parse-server that runs on the same machine will access this DB...
I have been able to start mongo in ssl mode with the following command:
mongod --sslMode requireSSL --sslPEMKeyFile ~/datastore.pem --sslCAFile ~/datastore.ca-bundle
datastore.pem was created by combining .crt (issued by comodo ssl) and .key (used during generating csr)
I am trying to connect to my mongo instance with the below command:
mongo --ssl --sslPEMKeyFile ~/datastore.pem --sslCAFile ~/datastore.ca-bundle
I get the following message when I try to connect:
MongoDB shell version: 3.0.5
connecting to: test
2015-08-10T03:35:43.456+0000 E NETWORK SSL peer certificate validation failed:certificate not trusted
2015-08-10T03:35:43.458+0000 E QUERY Error: socket exception [CONNECT_ERROR] for
at connect (src/mongo/shell/mongo.js:179:14)
at (connect):1:6 at src/mongo/shell/mongo.js:179
I am very new to SSL setup in mongo, any pointers to successfully connect to mongo using SSL would be helpful, I have read the security section of 10gen multiple times but no direct answer.