I have my mongod.conf file as follows:
systemLog:
destination: file
logAppend: true
path: /home/abc/mongoDB/log/mongod.log
# Where and how to store data.
storage:
dbPath: /home/abc/mongoDB/data/db
journal:
enabled: true
processManagement:
fork: true
pidFilePath: /home/abc/mongoDB/mongod.pid
# network interfaces
net:
port: 27018
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: /home/abc/mongodb.pem
I have made sure the .pem file is located in the path i mentioned above.
I'm trying to run a instance of mongodb reading the .conf file with the following command:
mongod -f /home/abc/mongoDB/mongod.conf
It was working fine until i tried to include SSL but now i'm getting the following message:
[abc#abc ~]$ mongod -f /home/abc/mongoDB/mongod.conf
Unrecognized option: security.sslPEMKeyfile
try 'mongod --help' for more information
I created the .pem file with openssl as follows:
openssl req -new -x509 -days 365 -out mongodb-cert.crt -keyout mongodb-cert.key
and then merged the files with :
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
Could anyone help what I did wrong here?
My approach was based on this.
the following configuration worked form me:
net:
port: 27018
bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
ssl:
mode: requireSSL
PEMKeyFile: /home/abc/mongodb.pem
PEMKeyPassword: password
CAFile: /home/abc/client.pem
more info here
Related
I am facing this error on my ubuntu 16.04 machine while trying to encrypt data from the client to the server using TLS/SSL on Mongodb:
As requested, here is my command in text format :
mongo --tls --tlsCAFile rootCA.pem --tlsCertificateKeyFile mongodb.pem --host 127.0.0.1:27017
I have created a CA certificate which I have self-signed, and created the mongodb.pem file too as it is required for tls/ssl encryption.
Does anybody know how to fix it ? If you need more info I would gladly provide them.
This is my mongodb.conf file :
mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
tls :
mode : requireTLS
certificateKeyFile : /home/youssef/mongodb.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
And I used this method to create a user :
db.createUser( { user: "accountAdmin01",
pwd: "password", // Or "<cleartext password>
roles: [ { role: "clusterAdmin", db: "admin" }])
This is the error I get from the logs :
"msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL support"},"remote":"127.0.0.1:34766","connectionId":4}}
And just in case you are wondering where I got the rootCA.pem and mongodb.pem files, I just went through this tutorial : https://rajanmaharjan.medium.com/secure-your-mongodb-connections-ssl-tls-92e2addb3c89
According to your config file and createUser you use the TLS/SSL certificate only to encrypt the connection. In this case skip --tlsCertificateKeyFile mongodb.pem option.
The MongoDB server provides the certificate (mongodb.pem), the client has to verify this certificate by using the CA rootCA.pem
If you like to use --tlsCertificateKeyFile, then you must specify the CAFile in mongodb.conf. Otherwise the MongoDB server cannot verify the certificate provided from the client:
net:
port: 27017
bindIp: 127.0.0.1
tls :
mode : requireTLS
certificateKeyFile : /home/youssef/mongodb.pem
CAFile: /etc/ssl/rootCA.pem
allowConnectionsWithoutCertificates: true # if you like to permit connections with and without certificate
Note, try openssl verify -CAfile rootCA.pem mongodb.pem in order to check if your certificate is working and valid.
My mongod servers runs on IP 67.219.110.71 and default port 27017
Below is the command to start mongod
mongod --dbpath /data/db --fork --logpath /dev/null
After login to the linux server 67.219.110.71 I'm able to telnet successfully like below:
telnet localhost 27017 ----> SUCCESS
However, when I telnet using the IP address it does not connect from the same host 67.219.110.71 or from a remote hots both fail
telnet 67.219.110.71 27017 ----> FAILS
Note:
have restarted the mongod service several times and after any configuration change.
port 27010 was opened on the firewall using firewall-cmd command.
I'm able to connect on ssh port telnet 67.219.110.71 22 ----> SUCCESS
Below is my mongod configuration file /etc/mongod.conf:
# mongod.conf
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1,67.219.110.71,0.0.0.0,:: # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
# bindIpAll: true
# bindIp: 0.0.0.0
security:
authorization: "enabled"
Can you please suggest?
So this is the weirdest thing.
I have two centOS 7 servers running mongo. I now wanted to enforce authentication so I added the security.authorization: enabled to the mongod.conf file.
I already have a user on database "buzzztv".
So when I ran mongod --conf /etc/mongod.conf on the first server everything went fine.
Then I did the exact same thing on the second server and whenever I try to connect with one of the users I get the following error:
connecting to: mongodb://127.0.0.1:27017/?authSource=buzzztv&compressors=disabled&gssapiServiceName=mongodb
2020-02-20T13:02:35.166+0000 E QUERY [js] Error: Authentication failed. :
connect#src/mongo/shell/mongo.js:341:17
#(connect):2:6
2020-02-20T13:02:35.168+0000 F - [main] exception: connect failed
2020-02-20T13:02:35.168+0000 E - [main] exiting with code 1
Now if I run mongod --fork --logpath /var/log/mongodb/mongod.log --auth the login works perfectly fine.
So obiously I could just run this command, but I want to use the mongod.conf.
Here is my mongod.conf file, I checked and it is a perfect copy of the file from the server in which it does work.
Any ideas?
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0 # 127.0.0.1 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
So after several hurtful hours of looking into it, I neede to change the
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
Apparently something was wrong with my /var/lib/mongo so I backed up the data, and created a new folder /var/lib/mongodb
Then edited the mongod.conf file to:
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
Then it all worked fine. Now I'll just re-create the users and re-insert all the data and I'm good to go.
Hope this saves someone the wasteful hours I've lost
I have mongo 3.4 and I have generated my pem files for client and server and below command is starting my mongoDB:
sudo mongod --port 27017 --dbpath /var/lib/mongodb --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongo_ssl/server.pem
I am able to connect to the DB by following command:
mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.cert --host akshay.abc.com
I have used the below command to generate my certs:
openssl req -newkey rsa:2048 -new -sha256 -out server.csr -keyout server.key -subj "/C=IN/ST=DELHI/L=DELHI/O=MongoDB/OU=demoservers/CN=akshay.abc.com" -nodes
Below is my mongod.conf file:
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongo_ssl/server.pem
CAFile: /etc/ssl/mongo_ssl/client.pem
#processManagement:
Service is running fine but when I now connect it with mongo command which I used earlier it is giving me the below error:
2019-07-04T10:32:24.249+0000 W NETWORK [thread1] Failed to connect to a.b.c.d:27017, in(checking socket for error after poll), reason: Connection refused
2019-07-04T10:32:24.249+0000 E QUERY [thread1] Error: couldn't connect to server akshay.abc.com:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:240:13
#(connect):1:6
exception: connect failed
Can anyone point me in the right direction?
I was running mongo 3.4 on centOS. It was using authorization. I needed to upgrade it to mongo 3.6. I upgraded it and now I'm not able to connect it through any means remotely. Neither with the shell nor with the node server itself.
Here is the mongoose connection.
const uri = 'mongodb://admin:12345#host:27017/db?authSource=admin';
mongoose.connect(uri);
Here is mongod.conf
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
# network interfaces
net:
port: 27017
# bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
Probably the upgrade was not successful, and the restart of the mongod service failed.
View the logs in /var/log/mongodb/mongod.log and check for any inconsistency in the mongod.conf.
Check if the service is up and if it is listening on port 27017.
service mongod status
netstat -tl | grep 27017 # or using the ss command
ss -tl | grep 27017
From the official documentation:
Starting in MongoDB 3.6, mongod and mongos instances bind to localhost by default. Remote clients cannot connect to an instance bound only to localhost. To override and bind to other ip addresses, use the net.bindIp configuration file setting or the --bind_ip command-line option to specify a list of ip addresses.
Try the following setting to enable the service to listen on all the interfaces
net:
port: 27017
bindIp: 0.0.0.0