Enabling mongodb auth - mongodb

I have an install of ubuntu 14.04 x64 The only thing I have done to it is fresh update and install mongodb and pritunl. Here is how I installed both
$ nano /etc/apt/sources.list.d/mongodb-org-3.0.list
deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse
$ nano /etc/apt/sources.list.d/pritunl.list
deb http://repo.pritunl.com/stable/apt trusty main
$ apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7F0CEB10
$ apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv CF8E292A
$ apt-get update
$ apt-get install pritunl mongodb-org
$ service pritunl start
Now I would like to enable auth on mongodb 3.0.9 for this I have used guide here
https://medium.com/#matteocontrini/how-to-setup-auth-in-mongodb-3-0-properly-86b60aeef7e8#.a1nfxsy3a
After I create the first user and I
security:
authorization: enabled
I run into problems I cant make any connection from the locahost here is the error I receive
~# mongo pritunl --port 27017 -u admin -p passwordhere --authe nticationDatabase admin
MongoDB shell version: 3.0.9
connecting to: 127.0.0.1:27017/pritunl
2016-02-08T00:18:54.096-0500 W NETWORK Failed to connect to 127.0.0.1:27017, re ason: errno:111 Connection refused
2016-02-08T00:18:54.098-0500 E QUERY Error: couldn't connect to server 127.0. 0.1:27017 (127.0.0.1), connection attempt failed
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed
Or attempting to connect to admin
~# mongo admin — port 27017 -u admin -p password — authenticationDatabase admin
MongoDB shell version: 3.0.9
connecting to: 127.0.0.1:27017/admin
2016–02–07T09:54:09.436–0500 W NETWORK Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused
2016–02–07T09:54:09.438–0500 E QUERY Error: couldn’t connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed
Or any other way I try and make a connection. I feel like I am missing something simple. I thought maybe I was screwing up the user creation so I have used tried using http://3t.io/mongochef/ gui to take my potential typing errors out of the user creation.
I have been fighting this for a few days and wearing google out but not getting traction. At this point I am will to pay for some help in figuring out what Im messing up but I would like to know how to fix it so I have the knowledge of how to implement basic security. I can pay with bitcoin
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
#processManagement:
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:

Related

Connect to mongodb with TLS

Windows version : 10
Mongodb version : 6.0.2
Tools : mongosh
Hello, I am trying to set up mongodb with TLS and accessing the mongodb instance through mongosh using client certificate.
I followed the steps mentionned here : https://www.mongodb.com/docs/manual/core/security-transport-encryption/ to configure the mongod with TLS.
The configuration is successful and I can successfully start mongodb using below command :
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
my mongod.cfg has the below settings for network:
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
My issue is when trying to connect through mongosh, I am getting below error:
Connecting to: mongodb://localhost:27017/?directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsCertificateKeyFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-client.pem&tlsCAFile=C%3A%5COpenSSL%5Copenssl-0.9.8k_X64%5Cbin%5Ctest-ca.pem&appName=mongosh+1.6.0
MongoServerSelectionError: read ECONNRESET
I used steps on
https://www.mongodb.com/docs/manual/appendix/security/appendixC-openssl-client/#std-label-appendix-client-certificate to generate client certificate above.
Server certificate was generated following these steps :
https://www.mongodb.com/docs/manual/appendix/security/appendixB-openssl-server/#std-label-appendix-server-certificate
The message
MongoServerSelectionError: read ECONNRESET
is not giving any value in understanding the error. I understand its an openssl error but why am getting this error is unclear.
Any help will be appreciated.
I had the following error in log.
{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL}
I started mongodb again with new tls config and now its ok. Thanks –
mongod --tlsMode requireTLS --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem
mongosh --tls --host localhost --tlsCertificateKeyFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-client.pem --tlsCAFile C:\OpenSSL\openssl-0.9.8k_X64\bin\test-ca.pem
We can also store the tls options in the config file
port: 27017
bindIp: 127.0.0.1
tls:
mode: requireTLS
tlsCertificateKeyFile: C:\OpenSSL\openssl-0.9.8k_X64\bin\test-server1.pem

MonogDB 3.4 in Ubuntu 20.04

In the production application, we are using MongoDB 3.4 version.I have installed ubuntu 20.04 LTS on my local machine and tried to install Mongo 3.4 and bang my head against the wall. Please let me know your thoughts. Here are my steps:
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.com/apt/ubuntu "$(lsb_release -sc)"/mongodb-enterprise/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-enterprise-3.4.list
sudo apt-get update
sudo apt-get install -y mongodb-org
Well I just did this in a more "handmade way" perhaps...
Downloaded the application from here: https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.24.tgz
(it is the, let's call vanila version from the mongodb page)
Uncompressed it on /opt:
tar zxf mongodb-linux-x86_64-3.4.24.tgz -C /opt/
Symlink for shorter name:
ln -s /opt/mongodb-linux-x86_64-3.4.24 /opt/mongo
Created the user for mongo:
useradd -r mongod
then added the systemctl command:
echo "[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target
[Service]
User=mongod
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/mongod.service
Reloaded systemctl:
systemctl daemon-reload
Then created the /etc/mongod.conf with the following content:
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /opt/mongo/database/
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongod.log
# network interfaces
net:
port: 27017
# bindIp: 127.0.0.1
#processManagement:
#security:
#operationProfiling:
#replication:
# replSetName: "mongodb-keys-replica-set"
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
then start the service:
systemctl start mongod
Adjust the configurations and directory path as needed.
It works, is a somehow handmade solution for a legacy version for that ubuntu version. Won't update with apt-get or related... but just works as it should.
If in local, for testing purposes, maybe it's not a bad idea go with a docker image... but just a suggestion, not the answer to your question.
The above answer is correct however don't forget to:
create directories and files, change owner
mkdir /opt/mongo/database
touch /var/log/mongod.log
chown mongod:mongod /var/log/mongod.log
chown -R mongod:mongod /opt/mongodb-linux-x86_64-3.4.24
chown mongod:mongod /opt/mongo
execute as root this part, link to mongo was wrong and should be as below:
echo "[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target
[Service]
User=mongod
ExecStart=/opt/mongo/bin/mongod --quiet --config /etc/mongod.conf
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/mongod.service
There is no easy way for this it seems because the official documentation itself says that for version 3.4, the only supported ubuntu versions are 16.04 and 14.04 (https://docs.mongodb.com/v3.4/tutorial/install-mongodb-on-ubuntu/).
I tried following the above steps by ignivs but encountered this error everytime:
Failed to start mongod.service: Unit mongod.service not found.

couldn't run mongo through a script

I'm trying to launch mongo through my script after installing mongodb, but it throw an error but when I try "mongo" from my terminal it works perfectly.
Error when I run mongo from my script :
MongoDB shell version: 3.2.21
connecting to: test
2018-10-11T10:38:32.855+0200 W NETWORK [thread1] Failed to connect to
127.0.0.1:27017, in(checking socket for error after poll), reason:
errno:111 Connection refused
2018-10-11T10:38:32.877+0200 E QUERY [thread1] Error: couldn't
connect to server 127.0.0.1:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:229:14
#(connect):1:6
exception: connect failed
Here is a part of my script
apt-get install -y mongodb-org
systemctl enable mongod
systemctl start mongod
echo " " >> /etc/mongod.conf
echo "replication:" >> /etc/mongod.conf
echo " oplogSizeMB: 1" >> /etc/mongod.conf
echo " replSetName: rs0" >> /etc/mongod.conf
sed '24d' /etc/mongod.conf
systemctl restart mongod
export LC_ALL=C
mongo --eval "rs.initiate()"
But when i just run "mongo" command on my terminal it works :
# mongo
MongoDB shell version: 3.2.21
connecting to: test
rs0:OTHER>
what might be the problem, please?
try with the following line:
/bin/bash -c "mongo --eval \"rs.initiate()\""

MongoDB is not running as service

I have installed Mongo on my OSX
$ brew info mongodb
mongodb: stable 4.0.2 (bottled)
...
I'm starting MongoDB service by this command:
$ brew services start mongodb
I can observe the status of mongodb:
$ brew services list
Name Status User Plist
mongodb started megas /Users/megas/Library/LaunchAgents/homebrew.mxcl.mongodb.plist
...
But when I'm running mongo client it give me an error:
$ mongo
MongoDB shell version v4.0.2
connecting to: mongodb://127.0.0.1:27017
2018-09-19T15:18:22.490+0300 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Error connecting to 127.0.0.1:27017 :: caused by :: Connection refused :
connect#src/mongo/shell/mongo.js:257:13
#(connect):1:6
exception: connect failed
When I manually start mongod then it works as it should be.
What I'm missing here?
Update:
If I run it manually it throughs message and stops
$ mongod --config /usr/local/etc/mongod.conf
2018-09-19T21:47:51.531+0300 I CONTROL [main] Automatically disabling
TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
$ cat /usr/local/etc/mongod.conf
# Store data in /usr/local/var/mongodb instead of the default /data/db
dbpath = /usr/local/var/mongodb
# Append logs to /usr/local/var/log/mongodb/mongo.log
logpath = /usr/local/var/log/mongodb/mongo.log
logappend = true
# Only accept local connections
bind_ip = 127.0.0.1

LetsEncrypt SSL Certificate Validation Failed with MongoDB

A little background...my certificate is a LetsEncrypt.org SSL certificate issued with Certbot. I'm running Nginx 1.12.2, and I'm able to properly access my website using https:// so I believe that portion is configured properly. My web server is running Ubuntu 16.04 and MongoDB 3.6.3.
I have tried many configurations and while I can connect to my MongoDB just fine using Compass (the official MongoDB GUI) without the SSL option, attempts to connect with SSL result in a Could not connect to MongoDB on the provided host and port error message. Running mongo -ssl --sslPEMKeyFile /etc/ssl/mongo.pem on my server results in the following error:
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2018-06-12T16:51:10.756+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get local issuer certificate
2018-06-12T16:51:10.757+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:251:13
#(connect):1:6
exception: connect failed
My /var/log/mongodb/mongod.log shows the following which corresponds to the error above:
2018-06-12T16:51:10.755+0000 I NETWORK [listener] connection accepted from 127.0.0.1:47792 #8 (2 connections now open)
2018-06-12T16:51:10.757+0000 I NETWORK [conn8] end connection 127.0.0.1:47792 (1 connection now open)
My /etc/mongod.conf contains the following (I've commented out the CAFile parameter as I've read this is optional for now [source: https://stackoverflow.com/a/33926129/2969615 ]; note that I get mongo.pem: OK when running the openssl verify -CAfile /etc/ca.pem /etc/mongo.pem command, so I believe mongo.pem is properly set up):
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: allowSSL
PEMKeyFile: /etc/ssl/mongo.pem
# CAFile: /etc/ssl/ca.pem
I've created my mongo.pem file by referring to the following: https://serverfault.com/a/878457 ...I have tried the certificate in the instructions as well as both X3 intermediate certificates available at https://letsencrypt.org/certificates/ to no avail.
Any help would be greatly appreciated.
Very late to the party, but just in case it does help someone. I am running mongodb inside docker with the official image from mongo and compass from another docker image.
For the server I use:
docker run -it --name data.domain.com --network docker_network -v /path/to/ssl:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem
fullchain-key.pem is 'cat fullchain.pem privkey.pem > fullchain-key.pem'
docker name or server name must match certificate name
For Compass I use:
The server has it's own certificate and compass as well.