I have followed this guide Self-signed SSL connection using PyMongo, by Wan Bachtiar to create three .pem files; server.pem, client.pem and ca.pem.
I am using Ubuntu 16.04 and MongoDB v3.2.11.
The purpose is to secure the MongoDB before opening it to the public internet.
lets start the mongod:
$ mongod --auth --port 27017 --dbpath /data/db1
--sslMode requireSSL --sslPEMKeyFile /etc/ssl/server.pem
--sslCAFile /etc/ssl/ca.pem --sslAllowInvalidHostnames &
Output:
root@tim:/etc/ssl# 2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] MongoDB starting : pid=19058 port=27017 dbpath=/data/db1 64-bit host=tim
2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] db version v3.2.11
2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] git version: 009580ad490190ba33d1c6253ebd8d91808923e4
2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] allocator: tcmalloc
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] modules: none
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] build environment:
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distmod: ubuntu1604
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distarch: x86_64
2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] target_arch: x86_64
2017-01-13T12:58:55.153+0000 I CONTROL [initandlisten] options: { net: { port: 27017, ssl: { CAFile: "/etc/ssl/ca.pem", PEMKeyFile: "/etc/ssl/server.pem", allowInvalidHostnames: true, mode: "requireSSL" }
}, security: { authorization: "enabled" }, storage: { dbPath: "/data/db1" } }
2017-01-13T12:58:55.211+0000 I - [initandlisten] Detected data files in /data/db1 created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-01-13T12:58:55.212+0000 W - [initandlisten] Detected unclean shutdown - /data/db1/mongod.lock is not empty.
2017-01-13T12:58:55.212+0000 W STORAGE [initandlisten] Recovering data from the last clean checkpoint.
2017-01-13T12:58:55.212+0000 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_max=4)
,config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten]
2017-01-13T12:58:55.895+0000 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db1/diagnostic.data'
2017-01-13T12:58:55.897+0000 I NETWORK [initandlisten] waiting for connections on port 27017 ssl
2017-01-13T12:58:55.897+0000 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-01-13T12:58:56.026+0000 I FTDC [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OK
After running the mongod, I start the mongo shell:
$ mongo --port 27017 -u "my username" -p "my password"
--authenticationDatabase "" --ssl --sslPEMKeyFile /etc/ssl/client.pem
--sslCAFile /etc/ssl/ca.pem --host tim
The output is similar to the question by Marshall Farrier; lets have a look.
MongoDB shell version: 3.2.11
connecting to: 127.0.0.1:27017/datatest
2017-01-13T12:35:58.247+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:38902 #8 (1 connection now open)
2017-01-13T12:35:58.259+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-01-13T12:35:58.259+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6
2017-01-13T12:35:58.263+0000 E NETWORK [conn8] SSL peer certificate validation failed: self signed certificate
2017-01-13T12:35:58.263+0000 I NETWORK [conn8] end connection 127.0.0.1:38902 (0 connections now open)
What am I doing wrong?
After some searching, it seems like this error is due to the fact that the hostname "CN" was incorrect.
From digitalocean:
Whenever you generate a CSR, you will be prompted to provide information regarding the certificate. This information is known as a Distinguised Name (DN). An important field in the DN is the Common Name (CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with.
Also from MongoDB documentation:
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.
SOLUTION:
I regenerated the keys, replaced localhost with any other hostname in the CN = <hostname> and completed the guide by Wan Bachtiar.
Running the following command after completion worked:
$ mongo --port 27017 -u '<_username_>' -p '<_password_>'
--authenticationDatabase "<_my db_>" --ssl --sslPEMKeyFile
/etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem --host localhost
Note: The MongoDB folows a strict ruling of who has access to what db, a quick test in the mongo shell:
> show dbs
return an error. However, my user actually only have access to the db specified in "<my db>", so looping through the rows in "<my db>" works perfectly.
来源:https://stackoverflow.com/questions/41635371/mongodb-self-signed-ssl-connection-ssl-peer-certificate-validation-failed