I have been able to start mongo in ssl mode with the following command:
mongod --sslMode requireSSL --sslPEMKeyFile ~/datastore.pem --sslCAFile ~/datastore.ca-bundle
datastore.pem was created by combining .crt (issued by comodo ssl) and .key (used during generating csr)
I am trying to connect to my mongo instance with the below command:
mongo --ssl --sslPEMKeyFile ~/datastore.pem --sslCAFile ~/datastore.ca-bundle
I get the following message when I try to connect:
MongoDB shell version: 3.0.5
connecting to: test
2015-08-10T03:35:43.456+0000 E NETWORK SSL peer certificate validation failed:certificate not trusted
2015-08-10T03:35:43.458+0000 E QUERY Error: socket exception [CONNECT_ERROR] for
at connect (src/mongo/shell/mongo.js:179:14)
at (connect):1:6 at src/mongo/shell/mongo.js:179
I am very new to SSL setup in mongo, any pointers to successfully connect to mongo using SSL would be helpful, I have read the security section of 10gen multiple times but no direct answer.
Related
I am trying to setup an SSH tunnel to a mongoDB cluster hosted In Atlas. I setup the tunnel with the below command
ssh -i <key_file> -N -L <localport>:<atlas_node_hostname>:<atlas_port> <remote_user>#<remote_ip>
And added the atlas_node_hostname in
/etc/hosts
From the machine where I created the SSH tunnel, I can connect to atlas db with the atlas_node_hostname mentioned in the string.
mongo --ssl "mongodb://<username>:<password>#<atlas_node_hostname>:<ssh_tunnel_local_port>/<db_name>?authSource=admin"
But I want to connect using 127.0.0.1 instead of the atlas_node_hostname, this is so that I can give devs access only to the machine where the tunnel is running and they can connect to the DB.
mongo --ssl "mongodb://<username>:<password>#<127.0.0.1:<ssh_tunnel_local_port>/<db_name>?authSource=admin"
But with the above attempt I get the below error
Error: couldn't connect to server 127.0.0.1:27779, connection attempt failed: SSLHandshakeFailed: The server certificate does not match the host name. Hostname: 127.0.0.1 does not match SAN(s): *.345ed5412fd76fb84cd13794.utkqs.mongodb.net, *.utkqs.mesh.mongodb.net, *.utkqs.mongodb.net, CN: *.utkqs.mongodb.net :
Is there any way I can get it working with the 127.0.0.1 instead of giving the atlas_node_hostname? Or any tool that can proxy Atlas MongoDB?
In the recent light of events of the MongoDB hacks. we too were hit by the hackers.
We enabled the authorization and changed the default port of the server.
However we want to encrypt our communication channel with the server with the help of a self signed certificate.
so our configuration looks like below
tls:
mode: requireTLS
allowConnectionsWithoutCertificates: false
certificateKeyFile: /etc/ssl/server.pem
CAFile: /etc/ssl/ca.crt
what happens is when I try to connect the mongoshell with the client certificate the connection is constantly denied. But after commenting the CAFile config and using --tlsAllowInavlidCertificates the connection is created.
I created the certificate with the following link:
https://gist.github.com/kevinadi/96090f6f9973ff8c2d019bbe0d9a0f70
To connect to the server I'm using the following command:
mongo --host hostname --username user --password password --authenticationDatabase admin --port port --tls --tlsCertificateKeyFile client.pem --tlsCAFile ca.crt
I dont know what I'm doing wrong and is this the correct way to do it even?
The server log contains reasons why connections are rejected.
I am trying to connect to a mongodb service hosted on IBM Cloud following this instructions.
When I run the following command
mongo -u $USERNAME -p $PASSWORD --ssl --sslCAFile c5f07836-d94c-11e8-a2e9-62ec2ed68f84 --authenticationDatabase admin --host replset/bdb98a3ac10-0.b8a5e798d2d04f2e860d042c915.databases.appdomain.cloud:30484,bd576-96db98a3ac10-1.b8a5e4e5d042c915.databases.appdomain.cloud:30484
I get this error on macOs, while on Windows 10 the connection is correctly estiblished:
SSL peer certificate validation failed: Certificate trust failure:
Invalid Extended Key Usage for policy; connection rejected
If I connect via MongoDB Compass instead of using the terminal the connection works
I had to add --sslAllowInvalidCertificates flag
https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
I am trying to configure the SSL certificates in MongoDB. For that, I took sample domain-name like myapptest.tk using freenom(online) and generated certificates for that domain-name using sslforfree(online). Assigned that domain-name to my MongoDB server IP in /etc/hosts file. After that Downloaded those certificates and configured them in /etc/mongod.conf file.
Here are my SSL configurations which I have used in mongod.conf
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6
addresses or, alternatively, use the net.bindIpAll setting.
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca_bundle.crt
allowConnectionsWithoutCertificates: false
allowInvalidHostnames: false
disabledProtocols: TLS1_0,TLS1_1
Here I am converting certificate.crt and private.key into mongodb.pem and passing as the value of PEMKeyFile and passing ca_bundle.crt as the value of CAFile. Finally restarted the mongod service using the command
sudo service mongod restart
mongodb server running successfully. Now I am trying to connect with mongodb server through the command
mongo --ssl --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca_bundle.crt --host myapptest.tk
I am unable to connect to the server. Getting the error like
MongoDB shell version v4.0.8
connecting to: mongodb://myapptest.tk:27017/?gssapiServiceName=mongodb
2019-04-04T19:57:40.401+0000 E NETWORK [js] SSL peer certificate validation failed: unable to get local issuer certificate
2019-04-04T19:57:40.402+0000 E QUERY [js] Error: couldn't connect to server myapptest.tk:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get local issuer certificate :
connect#src/mongo/shell/mongo.js:343:13
#(connect):2:6
exception: connect failed
If I am using the mongo command with the option --sslAllowInvalidCertificates like
mongo --ssl --sslAllowInvalidCertificates
I can able to connect with the mongodb server, otherwise, I was unable to connect with the server.
What's the wrong with configuring the SSL certificates in mongod.conf file?
what I want is, Can we able to connect with the MongoDB server with --sslCAFile?
How to generate the --sslPEMKeyfile and --sslCAFile in *.pem formats in mongodb?
Below was the link which I have followed:
https://docs.mongodb.com/manual/tutorial/configure-ssl/
Could anybody suggest me to achieve this?
I'd like to connect to my AWS instance and connect to my MongoDB database over localhost. The SSH tunnel seems to work, but when I try to connect with mongo I get a connection failed error.
SSH tunnel command:
ssh -i <path to key> -N -L 27017:++++++++++.us-west-2.compute.amazonaws.com:27017 ++++++#++++++++++.us-west-2.compute.amazonaws.com
Mongo client:
mongo -u +++++++ -p ++++++++++ mongodb://localhost:27017/+++++
MongoDB shell version v3.4.7
connecting to: mongodb://localhost:27017/++++++
2018-01-22T15:32:07.125+0100 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'localhost:27017' :
connect#src/mongo/shell/mongo.js:237:13
#(connect):1:6
exception: connect failed
On the tunnel side I then get:
channel 2: open failed: connect failed: Connection refused
I have tried the mongo command directly on the server then there it works fine.
On my Robo T3 client there is an option to connect over SSH and there the connection works just fine.
Any suggestions are greatly appreciated.
EDIT
When I start the mongo client, no new lines are added to mongdb log file. This indicates that the tunnel is not doing it's job...
According to this documentation, this error happens when you try to connect to a MongoDB server without ssl.
The solution then would be to connect using SSL, which can be done by adding --ssl to your connection query (so that it looks like this: mongo --ssl -u +++++++ -p ++++++++++ mongodb://localhost:27017/+++++).
Let me know if this works for you!