I followed this tutorial to create a both a root CA certificate and then used it to sign a key for the mongod server.
I run monogd with this configuration, by following this doc:
net:
ssl:
mode: requireSSL
PEMKeyFile: /home/user/device.pem
CAFile: /home/user/rootCA.pem
allowInvalidCertificates: true
allowInvalidHostnames: true
The 2 last ones I added since I am getting a connection failure.
I'm using these lines to connect:
./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl --sslAllowInvalidCertificates --sslCAFile ~/Downloads/rootCA.pem
./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl --sslAllowInvalidCertificates
./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl
But all of these produce:
MongoDB shell version v3.4.2
connecting to: mongodb://<host>:<port>/<db>
2017-03-30T14:39:15.307+0300 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-03-30T14:39:15.311+0300 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:237:13
@(connect):1:6
exception: connect failed
Any idea what am I doing wrong? I know it's a self signed certificate
Will appreciate your help
Also tried following the answer in here: https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898
Best Answer
In your mongod configuration file, you specify SSL mode to be
requireSSL
. This means that themongod
server, only uses and accepts TLS/SSL encrypted connections.The client
mongo
shell in your case, needs to specify --sslPEMKeyFile to pass the clients PEM file. See also mongo shell SSL configuration or Tutorial: configure SSL for clients.In regards to security, be extra careful enabling configurations. Please see the two parameters description for what they're for : --allowInvalidCertificates and --allowInvalidHostnames