Windows version : 10
Mongodb version : 6.0.2
Tools : mongosh
Hello, I am trying to set up mongodb with TLS and accessing the mongodb instance through mongosh using client certificate.
I followed the steps mentionned here : https://www.mongodb.com/docs/manual/core/security-transport-encryption/ to configure the mongod with TLS.
The configuration is successful and I can successfully start mongodb using below command :
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
my mongod.cfg has the below settings for network:
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
My issue is when trying to connect through mongosh, I am getting below error:
Connecting to: mongodb://localhost:27017/?directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsCertificateKeyFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-client.pem&tlsCAFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-ca.pem&appName=mongosh+1.6.0
MongoServerSelectionError: read ECONNRESET
I used steps on
https://www.mongodb.com/docs/manual/appendix/security/appendixC-openssl-client/#std-label-appendix-client-certificate to generate client certificate above.
Server certificate was generated following these steps :
https://www.mongodb.com/docs/manual/appendix/security/appendixB-openssl-server/#std-label-appendix-server-certificate
The message
MongoServerSelectionError: read ECONNRESET
is not giving any value in understanding the error. I understand its an openssl error but why am getting this error is unclear.
Any help will be appreciated.
I had the following error in log.
{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL}
I started mongodb again with new tls config and now its ok. Thanks –
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
mongosh --tls --host localhost --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-client.pem --tlsCAFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-ca.pem
We can also store the tls options in the config file
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
I am trying to connect Cubejs to MongoDB through MongoDB BI Connect.
My mongosqld command is as follows
./mongosqld --config mongosqld.conf -u useradmin -p xxxx --auth --sslMode requireSSL --sslPEMKeyFile mongo.pem
I have created mongo.pem file by referring below link
Cube.js: Error: ssl is required when using cleartext authentication using MongoDB BI Connector
My Cube.js .ENV configuration is as follows
CUBEJS_DEV_MODE=true
CUBEJS_DB_TYPE=mongobi
CUBEJS_API_SECRET= xxxxxx
CUBEJS_EXTERNAL_DEFAULT=true
CUBEJS_SCHEDULED_REFRESH_DEFAULT=true
CUBEJS_WEB_SOCKETS=true
CUBEJS_DB_HOST=localhost
CUBEJS_DB_NAME=RDM
CUBEJS_DB_USER=useradmin
CUBEJS_DB_PASS=xxxx
CUBEJS_DB_SSL=true
CUBEJS_DB_SSL_REJECT_UNAUTHORIZED=false
After trying to connect Error shown in cubejs
Runtime Error
Cube.js was unable to connect to the specified database.
The database returned the following error:
>Database Error
Error: Error: 19488:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:332:
And below error in mongosqld run on powershell
2021-10-12T17:15:06.045+0000 I NETWORK [conn1] connection accepted from 127.0.0.1:61457 #1 (1 connection now open)
2021-10-12T17:15:06.056+0000 E NETWORK [conn1] handshake error: ERROR 1043 (08S01): recv handshake response error: ERROR 1043 (08S01): ssl configuration error: UseCertificateChainFile: SSL errors: 906d06c:PEM routines:PEM_read_bio:no start line
140dc009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
2021-10-12T17:15:06.057+0000 I NETWORK [conn1] end connection 127.0.0.1:61457 (0 connections now open)
From the error I understand that the .pem file generated is not correct. Can someone please help me in this ?
I run MongoDB (version 4.4.1) this way:
mongod --dbpath /tmp/mongotest/1/db --logpath /tmp/mongotest/1/mongod.log --port 27017 --tlsMode requireTLS --tlsCertificateKeyFile /tmp/mongokeys/test-server1.pem --tlsCAFile /tmp/mongokeys/test-ca.pem --tlsAllowConnectionsWithoutCertificates
The test-server1.pem and test-ca.pem files have been generated following the example procedures (this and this) in official MongoDB documentation.
Now I try to connect using mongo shell (version 4.4.1) this way:
mongo --tls
It fails. This is the trace:
MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2021-03-01T13:18:54.768Z"},"s":"E", "c":"NETWORK", "id":23256, "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate in certificate chain"}}
Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:374:17
#(connect):2:6
exception: connect failed
exiting with code 1
In addition, mongod log shows:
{"t":{"$date":"2021-03-01T14:19:40.397+01:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":1}}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"W", "c":"NETWORK", "id":23234, "ctx":"conn15","msg":"No SSL certificate provided by peer"}
{"t":{"$date":"2021-03-01T14:19:40.415+01:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn15","msg":"Connection ended","attr":{"remote":"127.0.0.1:38934","connectionId":15,"connectionCount":0}}
What is surprising is the "No SSL certificate provided by peer" message. Of course, that's is true (I mean, mongo shell connection is not sending any certificate to the MongoDB server) but as far as I understand the --tlsAllowConnectionsWithoutCertificates should allow this kind of certificate-less connections.
Probably I'm doing something wrong, but I don't know what it is :) Any help is really welcomed!
Probably I'm doing something wrong, but I don't know what it is :)
You are experiencing the full informativeness of OpenSSL diagnostic messages.
The client and the server both validate the certificates of the other side, by default. You configured the server to not validate the client's certificate. The error is coming from the shell after it tries to validate the server's certificate and cannot follow the server cert to a known CA cert. This is reported as "self-signed certificate in certificate chain" which is true but misleading (the shell would be very capable of accepting the server's certificate if you gave it the CA cert which is self-signed).
The server log tells you the client hasn't provided the certificate, which is true and normal for your configuration, but the connection close is initiated by the client (shell). There isn't a server problem there. See also this and this.
I am trying to test a mongoDB installation with self signed certificates. I followed the instructions in the mongoDB documentation for creating the 'pem' files using the copy links on each page:
Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing
I updated the /etc/mongod.conf as such:
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
allowConnectionsWithoutCertificates: true
allowInvalidHostnames: true
allowInvalidCertificates: true
CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt
Originally I did not have the 'allow' option, but they do not make a difference so I am leaving the in for now.
Running the mongodb shell results in this error:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-04-17T17:07:25.812+0000 F - [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E - [main] exiting with code 1
root#ip-10-0-3-61:~/mongo-cert#
If I add the '--tlsAllowInvalidCertificates' in the command it works:
root#ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W NETWORK [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>
I have read other people who have followed the mongodb instructions successfully.
I just do not understand what I have done wrong.
You need to provide the CA file to mongo also (the --tlsCAFile option), in addition to the client certificate.
When full verification is enabled with TLS both server and client validate the other's certificate. This means both must have access to the CA cert used for signing the leaf certs.
I have a problem on MongoDB for using the SSL mode.
When I trying to connect on my database, I have this error.
mongo --ssl --sslCAFile /etc/ssl/certs/GandiStandardSSLCA2.pem --host plip.plop.com
MongoDB shell version: 3.0.6
connecting to: plip.plop.com:27017/test
2015-10-16T10:24:23.122+0000 E NETWORK SSL peer certificate validation failed:certificate not trusted
2015-10-16T10:24:23.126+0000 E QUERY Error: socket exception [CONNECT_ERROR] for
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
my server respond:
2015-10-16T10:26:53.034+0000 I NETWORK [initandlisten] connection accepted from 172.17.0.227:48786 #1 (1 connection now open)
2015-10-16T10:26:53.046+0000 W NETWORK [conn1] no SSL certificate provided by peer
2015-10-16T10:26:53.046+0000 I NETWORK [conn1] end connection 172.17.0.227:48786 (0 connections now open)
( In can connect to my db if I use the flag --sslAllowInvalidCertificates )
So now, how I do that:
I have added SSL cert with this code:
cp wildcart.plop.com.crt /etc/ssl/certs/wildcart.plop.com.crt
cp wildcart.plop.com.key /etc/ssl/private/wildcart.plop.com.key
cp GandiStandardSSLCA2.pem /usr/local/share/ca-certificates/gandi.net /GandiStandardSSLCA2.crt # come from https://wiki.gandi.net/en/ssl/intermediate
cat /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt > /etc/ssl/certs/mongodb.pem
rm /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt
update-ca-certificates
c_rehash
and my mongodb is start with this line mongod --replSet plop --config /etc/mongodb/mongod
/etc/mongodb/mongod content:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/certs/mongodb.pem
CAFile: /etc/ssl/certs/GandiStandardSSLCA2.pem
allowConnectionsWithoutCertificates: true
So can you help me on this problem ? I don't understand why my certificate isn't trusted.
Do you have any idea on that ?
Thanks in advance for your help.
PS: Sorry for my english, I'm not totally fluent in english :D
Mongodb doesn't use the system's global trust store.
The sslCAFile must contains all intermediary certificates of the verification chain.
In my case the certificate chain is like that:
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.plop.com
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
So you need to concat Gandi intermediary certificates with AddTrust External CA Root intermediary certificates.
cat /etc/ssl/certs/GandiStandardSSLCA2.pem /ets/ssl/certs/AddTrust_External_Root.pem > /ets/ssl/certs/GandiStandardSSLCA2_full.pem
mongo --ssl --sslCAFile /ets/ssl/certs/GandiStandardSSLCA2_full.pem --host plip.plop.com
Enjoy