I am enabling TLS/SSL encryption on a remote MongoDB instance (running on Windows Server 2012 R2). On the instance's server, devserver.external, I have created an SSL certificate. The CN on the subject is devserver.external and the issuer is company-issuer. On my computer (the one with which I am connecting to the remote mongo instance, Windows 10) I have company-issuer in my Intermediate Certification Authorities (when viewed through the Windows certificate manager). This is an internal company operated CA that is trusted on all company machines, including the dev server and my machine.
When connecting to mongo, via either mongo on the command line or the Robo3t client, the connection succeeds over SSL but db.serverStatus().security.SSLServerHasCertificateAuthority is false. From the mongo docs:
A boolean that is true when the TLS/SSL certificate specified by net.ssl.PEMKeyPassword is associated with a certificate authority. **false when the TLS/SSL certificate is self-signed.**
So it would seem mongo is interpreting my CA-signed certificate as a self-signed certificate. This is obviously unwanted behaviour.
My mongod.cfg is:
systemLog:
destination: file
path: E:\MongoData\Log\mongod.log
storage:
dbPath: e:\MongoData\DB
setParameter:
enableLocalhostAuthBypass: false
security:
authorization: enabled
net:
ssl:
mode: requireSSL
PEMKeyFile: C:\Program Files\MongoDB\Server\3.4\mongodb2.pem
My mongodb2.pem is:
-----BEGIN PRIVATE KEY-----
<base64 encoded private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<base64 encoded certificate>
-----END CERTIFICATE-----
I've not included a CA file because as stated in the configuration reference:
Changed in version 3.4: If –sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.
My interpretation of this is: As I have not included a net.ssl.CAFile in my mongod.cfg, my mongo server will look to the Windows certificate store for a list of trusted CAs. In which it would find my company-issuer CA, which is the issuer for the certificate in mongodb2.pem.
Best Answer
As MongoDB BOL documentation here to connect to a mongod or mongos instance that requires encrypted communication, start mongo shell with --ssl and include the --sslCAFile to validate the server certificates.
For example, given an TLS/SSL certificate located at /etc/ssl/mongodb.pem, configure mongod to use TLS/SSL encryption for all connections with the following command:
Set Up mongod and mongos with Certificate Validation
To set up mongod or mongos for TLS/SSL encryption using an TLS/SSL certificate signed by a certificate authority, include the following run-time options during startup:
net.ssl.modeset torequireSSL. This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowSSL or preferSSL to set up the use of mixed TLS/SSL modes on a port. See net.ssl.mode for details.PEMKeyfilewith the name of the.pemfile that contains the signed TLS/SSL certificate and key.CAFilewith the name of the.pemfile that contains the rootcertificate chain from the Certificate Authority.
You may also specify these options in the configuration file, as in the following examples:
If using the YAML configuration file format, include the following configuration in the file:
Connect to MongoDB Instance that Requires Client Certificates
To connect to a mongod or mongos that requires CA-signed client certificates, start the mongo shell with
--ssl, the --host option to specify the host to which to connect, the--sslPEMKeyFileoption to specify the signed certificate-key file, and the--sslCAFileto validate theserver certificates.