Getting mongodump and mongorestore work with security quite troublesome.
I have mongod v3.4.1 with requireSSL running at 192.168.99.100. It is IP address of VirtualBox docker machine running on my Windows. It is just for testing of-cause.
The instance already configured to use TLS/SSL both server and client signed with the same CA. I use the IP address for mongod Common Name to allow hostname validation. The authentication already enabled to accept my client certificate.
So everything is working. I can connect to it like this:
mongo --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem
but now I can't get both mongodump and mongorestore working:
mongodump --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem -d olddb
mongorestore --ssl --host 192.168.99.100 --sslCAFile rootCA.pem --sslPEMKeyFile me.pem -d newdb --dir=dump/olddb
Both return this error:
2017-01-13T04:28:03.881+0800 Failed: error connecting to db server: no reachable servers, openssl error: Host validation error
I have been trying to turn off client certificate, use username/password but still did not work. I need to remove the SSL in order to make it work.
That means I can only use preferSSL in production.
There is no way to bypass SSL in localhost if I stick with requireSSL.
Anyone getting the same error? Is it a known issue?
Add this option to the command-line:
--sslAllowInvalidHostnames
Full connection sample:
mongo --host 192.168.99.100 --username luke
--password skywalker --authenticationDatabase admin --ssl --sslCAFile rootCA.pem --sslPEMKeyFile me.pem --sslAllowInvalidHostnames
First check your logs at path /var/log/mongodb/mongod.log
Also there is default path of SSL Certificates. And for unix based systems given an SSL certificate located at /etc/ssl/mongodb.pem
As per my understanding for this problem, i would say certificate path needs to be checked. SSL certificate is not located in your windows environment. Try adding full path of certificate.
Also look into this https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
Happy coding
Related
i am getting issue while getting mongodump . i have mongodb 4.4 having ssl/Tls enabled for server side as well as for client.
but while taking dump getting the following Error:
2021-03-11T15:57:55.639+0530 Failed: can't create session: error configuring the connector: error configuring client, can't load client certificate: tls: private key type does not match public key type
although i am able to login with mongo shell.
mongo -u ms -p --authenticationDatabase "admin" --tls --tlsCAFile /etc/mongodb/ssl/ca-mongo.crt --tlsCertificateKeyFile /etc/mongodb/ssl/host1.pem --host host1
Add --tlsAllowInvalidHostnames to the command. It disables the validation of the hostnames
Full command
mongo -u ms -p --authenticationDatabase "admin" --tlsAllowInvalidHostnames --tls --tlsCAFile /etc/mongodb/ssl/ca-mongo.crt --tlsCertificateKeyFile /etc/mongodb/ssl/host1.pem --host host1
https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-tlsallowinvalidhostnames
If you are using version 4.2 or below then you have to use --sslAllowInvalidHostnames. https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-tlsallowinvalidhostnames
In the recent light of events of the MongoDB hacks. we too were hit by the hackers.
We enabled the authorization and changed the default port of the server.
However we want to encrypt our communication channel with the server with the help of a self signed certificate.
so our configuration looks like below
tls:
mode: requireTLS
allowConnectionsWithoutCertificates: false
certificateKeyFile: /etc/ssl/server.pem
CAFile: /etc/ssl/ca.crt
what happens is when I try to connect the mongoshell with the client certificate the connection is constantly denied. But after commenting the CAFile config and using --tlsAllowInavlidCertificates the connection is created.
I created the certificate with the following link:
https://gist.github.com/kevinadi/96090f6f9973ff8c2d019bbe0d9a0f70
To connect to the server I'm using the following command:
mongo --host hostname --username user --password password --authenticationDatabase admin --port port --tls --tlsCertificateKeyFile client.pem --tlsCAFile ca.crt
I dont know what I'm doing wrong and is this the correct way to do it even?
The server log contains reasons why connections are rejected.
I am trying to connect to a mongodb service hosted on IBM Cloud following this instructions.
When I run the following command
mongo -u $USERNAME -p $PASSWORD --ssl --sslCAFile c5f07836-d94c-11e8-a2e9-62ec2ed68f84 --authenticationDatabase admin --host replset/bdb98a3ac10-0.b8a5e798d2d04f2e860d042c915.databases.appdomain.cloud:30484,bd576-96db98a3ac10-1.b8a5e4e5d042c915.databases.appdomain.cloud:30484
I get this error on macOs, while on Windows 10 the connection is correctly estiblished:
SSL peer certificate validation failed: Certificate trust failure:
Invalid Extended Key Usage for policy; connection rejected
If I connect via MongoDB Compass instead of using the terminal the connection works
I had to add --sslAllowInvalidCertificates flag
https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
I have a database in www.myweb.io, which has SSL. The version of mongo is 2.6.12 in the server: the version of mongo in local is 3.4.1. I want to dump it into my local machine, modify it, and then restore back.
I tried
mongodump --host www.myweb.io --port 22 --username myname --password "mypassword"
and it gave me an error:
2017-11-20T20:57:07.775+0100 Failed: error connecting to db server: no reachable servers
Does anyone know what host and post I should set?
PS: in my localhost, I can use the following setting in Robo 3T to connect to the database:
1) under Connection, specify localhost:27017
2) under SSH, check Use SSH tunnel, specify xxx.xx.xx.xx:22 as SSH Address
In /etc/nginx/sites-enabled/myweb.io, there is listen 443 ssl.
you are not connecting via SSL or TLS to the database.
Use an ssh tunnel to establish a connection to your mongodb
ssh -N -L 27018:localhost:27017 user#www.myweb.io
you can specify -f to let ssh go in the background
Verify that the tunnel is working
Using mongodb
mongo --port 27018
Or telnet
telnet localhost 27018
dumping the database
mongodump --host 127.0.0.1 --port 27018 --db <dbName>
restore it somewhere, do your modifications
dump your local modifications
reapply the local modifications remote for example with mongorestore or mongoimport
I have a mongodb server v 3.2 configured to use ssl for client connections, with a custom-generated certificate.
I can connect to the server using mongo.exe with the following format:
C:\mongodb\bin>mongo.exe myhost:27017/mydb --sslPEMKeyFile
C:\etc\ssl\mongodb.pem --ssl --username myuser --password mypassword
--sslAllowInvalidCertificates
Is it possible to write an equal mongodb connection string (mongodb://....)?
According to the documentation, there is the only ssl parameter, that seems to be not enough.
Could you try to connect to mongo.exe with the parameter like below:
"mongodb://myuser:mypassword#myhost:27017/mydb?ssl=true&sslAllowInvalidCertificates=true&sslPEMKeyFile=C:/etc/ssl/mongodb.pem"
This works:
mongo --host server --ssl --sslCAFile C:\Path\mongodb-server.pem
--sslPEMKeyFile C:\Path\mongodb-client.pem --sslPEMKeyPassword
password -u user -p --authenticationDatabase admin