We Keep Coding

Connection attempt failed : Socket Exception - MongoDB TLS encryption on Ubuntu 16.04

I am facing this error on my ubuntu 16.04 machine while trying to encrypt data from the client to the server using TLS/SSL on Mongodb:
As requested, here is my command in text format :
mongo --tls --tlsCAFile rootCA.pem --tlsCertificateKeyFile mongodb.pem --host 127.0.0.1:27017
I have created a CA certificate which I have self-signed, and created the mongodb.pem file too as it is required for tls/ssl encryption.
Does anybody know how to fix it ? If you need more info I would gladly provide them.
This is my mongodb.conf file :
mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
tls :
mode : requireTLS
certificateKeyFile : /home/youssef/mongodb.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
And I used this method to create a user :
db.createUser( { user: "accountAdmin01",
pwd: "password", // Or "<cleartext password>
roles: [ { role: "clusterAdmin", db: "admin" }])
This is the error I get from the logs :
"msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL support"},"remote":"127.0.0.1:34766","connectionId":4}}
And just in case you are wondering where I got the rootCA.pem and mongodb.pem files, I just went through this tutorial : https://rajanmaharjan.medium.com/secure-your-mongodb-connections-ssl-tls-92e2addb3c89

According to your config file and createUser you use the TLS/SSL certificate only to encrypt the connection. In this case skip --tlsCertificateKeyFile mongodb.pem option.
The MongoDB server provides the certificate (mongodb.pem), the client has to verify this certificate by using the CA rootCA.pem
If you like to use --tlsCertificateKeyFile, then you must specify the CAFile in mongodb.conf. Otherwise the MongoDB server cannot verify the certificate provided from the client:
net:
port: 27017
bindIp: 127.0.0.1
tls :
mode : requireTLS
certificateKeyFile : /home/youssef/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
allowConnectionsWithoutCertificates: true # if you like to permit connections with and without certificate
Note, try openssl verify -CAfile rootCA.pem mongodb.pem in order to check if your certificate is working and valid.

Mongo DB Version 5 Access Control With Two Read Replicas

I have three ubuntu 20.04 servers:
db-master
db-node1
db-node2
I would like to know how to enable access control.
The servers work fine except when the following configuration is added to /etc/mongod.conf Thanks in advance:
$ mongo --version
MongoDB shell version v5.0.1
$ sudo vim /etc/mongod.conf
security:
keyFile: "/home/ubuntu/security.keyFile"
authorization: enabled
$ sudo systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
Active: active (running)
$ sudo systemctl restart mongod
ubuntu#db-node2:~$ sudo systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
Active: failed
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
#operationProfiling:
replication:
replSetName: "rs0"
#sharding:
## Enterprise-Only Options:
#auditLog:
security:
keyFile: "/home/ubuntu/security.keyFile"
authorization: enabled
#snmp:

Solution
ubuntu#:~$ sudo chown mongodb [PATH TO KEY FILE]
ubuntu#:~$ sudo chgrp root [PATH TO KEY FILE]
ubuntu#:~$ sudo chmod 400 [PATH TO KEY FILE]

MongoDB Config server replication setup failing - Pinging failed for distributed lock pinger

I have to setup 2 node mongodb config server(for testing) and when adding second node as slave it is failing
repset_init.js file details
rs.add( { host: "10.0.1.222:27017" } )
rs.add( { host: "10.0.2.41:27017" } )
printjson(rs.status())
command executed for replicaset addition
mongo -u xxxxx -p yyyy --authenticationDatabase admin --port 27017 repset_init.js
My initialization command
mongo --host 127.0.0.1 --port {{mongod_port}} --eval 'printjson(rs.initiate())'
My config file
net:
bindIp: 0.0.0.0
port: 27017
ssl: {}
processManagement:
fork: "true"
pidFilePath: /var/run/mongodb/mongod.pid
replication:
replSetName: configRS
security:
authorization: enabled
keyFile: /etc/zzzzzkey.key
setParameter:
authenticationMechanisms: SCRAM-SHA-256
sharding:
clusterRole: configsvr
storage:
dbPath: /data/dbdata
engine: wiredTiger
systemLog:
destination: file
path: /data/log/mongodb.log
Below are the errors in the log file
{"t":{"$date":"2021-06-09T14:37:36.071+00:00"},"s":"I", "c":"REPL", "id":4508702, "ctx":"conn16","msg":"Waiting for the current config to propagate to a majority of nodes"}
{"t":{"$date":"2021-06-09T14:37:53.143+00:00"},"s":"I", "c":"COMMAND", "id":51803, "ctx":"replSetDistLockPinger","msg":"Slow query","attr":{"type":"command","ns":"config.lockpings","command":{"findAndModify":"lockpings","query":{"_id":"ConfigServer"},"update":{"$set":{"ping":{"$date":"2021-06-09T14:37:38.125Z"}}},"upsert":true,"writeConcern":{"w":"majority","wtimeout":15000},"$db":"config"},"planSummary":"IDHACK","keysExamined":1,"docsExamined":1,"nMatched":1,"nModified":1,"keysInserted":1,"keysDeleted":1,"numYields":0,"reslen":585,"locks":{"ParallelBatchWriterMode":{"acquireCount":{"r":1}},"ReplicationStateTransition":{"acquireCount":{"w":1}},"Global":{"acquireCount":{"w":1}},"Database":{"acquireCount":{"w":1}},"Collection":{"acquireCount":{"w":1}},"Mutex":{"acquireCount":{"r":1}}},"flowControl":{"acquireCount":1,"timeAcquiringMicros":1},"writeConcern":{"w":"majority","wtimeout":15000,"provenance":"clientSupplied"},"storage":{},"protocol":"op_msg","durationMillis":15017}}
{"t":{"$date":"2021-06-09T14:37:53.143+00:00"},"s":"W", "c":"SHARDING", "id":22668, "ctx":"replSetDistLockPinger","msg":"Pinging failed for distributed lock pinger","attr":{"error":{"code":64,"codeName":"WriteConcernFailed","errmsg":"waiting for replication timed out; Error details: { wtimeout: true, writeConcern: { w: \"majority\", wtimeout: 15000, provenance: \"clientSupplied\" } }"}}}
{"t":{"$date":"2021-06-09T14:38:08.065+00:00"},"s":"I", "c":"CONNPOOL", "id":22572, "ctx":"MirrorMaestro","msg":"Dropping all pooled connections","attr":{"hostAndPort":"10.0.2.41:27017","error":"ShutdownInProgress: Pool for 10.0.2.41:27017 has expired."}}
Please guide me

MongoDB Cluster Setup

I am trying to setup a 3 node MongoDB cluster.
1) Started mongodb in all 3 nodes with the below config file.
net:
bindIp: 0.0.0.0
port: 10901
setParameter:
enableLocalhostAuthBypass: false
systemLog:
destination: file
path: "<LOG_PATH>"
logAppend: true
processManagement:
fork: true
storage:
dbPath: "<DB_PATH>/data"
journal:
enabled: true
security:
keyFile : "<KEY_FILE_PATH>"
sharding:
clusterRole: "configsvr"
replication:
replSetName: "configReplSet"
2) Created Admin user in one of the config node and able to login with the admin user.
mongo --port 10901 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
now the console says, user:PRIMARY>
3) Created replica set using the below command.
rs.initiate(
{
_id: "configReplSet",
configsvr: true,
members: [
{ _id : 0, host : "<IP1>:10901" },
{ _id : 1, host : "<IP2>:10901" },
{ _id : 2, host : "<IP3>:10901" }
]
}
)
4) Executed rs.status() and got the proper output.
5) Started Mongo shards with the below config in all 3 instances.
net:
bindIp: 0.0.0.0
port: 10903
setParameter:
enableLocalhostAuthBypass: false
systemLog:
destination: file
path: "<LOG_PATH>"
logAppend: true
processManagement:
fork: true
storage:
dbPath: "<DB_PATH>/shard_data/"
journal:
enabled: true
security:
keyFile : "<KEY_FILE>"
sharding:
clusterRole: "shardsvr"
replication:
replSetName: "shardReplSet"
6) Created Admin user in one of the shard node also and able to login with the admin user.
mongo --port 10903 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
7) Created shard replica set using the below command.
rs.initiate(
{
_id: "shardReplSet",
members: [
{ _id : 0, host : "<IP1>:10903" },
{ _id : 1, host : "<IP2>:10903" },
{ _id : 2, host : "<IP3>:10903" }
]
}
)
8) Started the router with the below config
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: <LOG_PATH_FOR_MONGOS>
# network interfaces
net:
port: 10902
security:
keyFile: <KEY_FILE>
processManagement:
fork: true
sharding:
configDB: configReplSet/<IP1>:10901,<IP2>:10901,<IP3>:10901
6) Connected to mongos using mongo
mongo --port 10902 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
Now, I see the below in my command.
MongoDB server version: 3.4.2
mongos>
7) Now added each shard in the mongos interface.
Since, I have configured replica set,
sh.addShard("shardReplSet/:10903, :10903, :10903")
Issues :-
1) Unable to connect to mongodb from the remote machine
I am able to connect to the other node within these 3 nodes.
From Node1,
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
All the above 3 connections are working from Node1 and Node2 and Node3.
But If I try from my localhost to connect to these instances, i get timeout error.
I am able to ssh to these servers.
2) I am running config on port 10901, shard on port 10903 and router on port 10902. Running, config, shard and router on each node. Is this ok?
DB path for config and shard are different. Have to create admin user on each service(config, shard, router). Is this correct?
Created replica set for config and shard server, but not for router? Is this ok?
4) Unable to connect to these instances from a remote mongo chef tool. I use the router port to connect to these instances? Is this correct? If so, Do I need to run router on each node?
5) Do we need to connect to the port 10903 or 10902 or 10901 to create new databases, create new users for db's.?
6) Is there anything else important to be added here?
Thanks

When creating first admin user on mongdb cluster getting error "couldn't add user: not authorized on admin to execute command"

I am using mongoDB Cluster with version 3.4 in google cloud compute engine, actually past week my database got attacked by hackers that's why i thought about using authorization so that i can avoid these types of attack. Now to add Authorizations i saw this article how-to-create-mongodb-replication-clusters, now i have added a keyfile with chmod 0600 on each of my cluster node, but now when i am trying to add my first admin user i am getting below error
use admin
switched to db admin
rs0:PRIMARY> db.createUser({user: "RootAdmin", pwd: "password123", roles: [ { role: "root", db: "admin" } ]});
2017-01-21T18:19:09.814+0000 E QUERY [main] Error: couldn't add user: not authorized on admin to execute comm
and { createUser: "RootAdmin", pwd: "xxx", roles: [ { role: "root", db: "admin" } ], digestPassword: false, writ
eConcern: { w: "majority", wtimeout: 300000.0 } } :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1290:15
#(shell):1:1
I have searched everywhere but haven't found anything on why i am getting this error.
Can anyone please help me how can i solve this error.
UPDATE
My config file is given below for each of the instances
Secondary Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: false
#engine:
mmapv1:
smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Arbiter Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /mnt/mongodb/db
journal:
enabled: true
#engine:
#mmapv1:
#smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mnt/mongodb/log/mongodb.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Primary Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /mnt/mongodb/db
journal:
enabled: true
#engine:
#mmapv1:
#smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mnt/mongodb/log/mongodb.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:

You have to change your mongod.conf file to disable authorization before creating such admin user
security:
authorization: disabled
After that, restart the mongod service and open mongodb shell to create the admin user
use admin
db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})
Remember to enable authorization back on after creating user.

johnlowvale's answer is correct, but
keyFile implies security.authorization.
source: https://docs.mongodb.com/manual/reference/configuration-options/#security.keyFile
You have to disable authorization AND the keyFile.
security:
authorization: disabled
# keyFile: /opt/mongodb/keyfile
(insufficient rep or I'd have just commented this on johnlowvale's answer)

Once you are connected to this first node, you can initiate the replica set with rs.initiate(). Again, this command must be run from the same host as the mongod to use the localhost exception.
We can create our admin user with the following commands:
rs.initiate()
use admin
db.createUser({
user: "admin",
pwd: "pass",
roles: [
{role: "root", db: "admin"}
]
})

edit vim /lib/systemd/system/mongod.service
remove --auth
restart
#ExecStart=/usr/bin/mongod --quiet --auth --config /etc/mongod.conf
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf
use admin
db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})

To be able to create a new user, you need to first disable security in /etc/mongod.conf
// security:
// authorization: enabled
Then restart Mongodb server
sudo service mongo restart
After this you can add the user and role that you want from the shell.
db.createUser({
user: 'test_user',
pwd: 'test',
roles: [
{ role: "userAdmin", db: "test" },
{ role: "dbAdmin", db: "test" },
{ role: "readWrite", db: "test" }
]
})
To enable authenticated connection
Uncomment the line again in /etc/mongod.conf
security:
authorization: enabled
and restart the server again

When a new database is setup with authorisation/security enabled but no users set up, you can only connect to it from the localhost. In your config file you should have bind ip set to 127.0.0.1 I think in order to make sure you connect to it with the correct authorisation to create new users.
This is what it says in Mongo course M103
By default, a mongod that enforces authentication but has no configured users only allows connections through the localhost.