2

Background I'm trying to run mongo locally in the same way that production will run, with full ssl verification enabled. Mongo is complaining about the certs being self-signed, but I'm specifying a ca.crt file, that I think should be treated as a root cert to validate against. If that's reasonable, then I think either my mongo config, or the cert generation is not correct.

SSL keys/certs/pem To create the ssl stuff I'm running the following

#!/bin/sh

# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev@gmail.com"


# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev@gmail.com"

# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# Create server PEM file
cat server.key server.crt > server.pem


# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev@gmail.com"

# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt

# Create client PEM file
cat client.key client.crt > client.pem

Mongo DB config The mongo config I'm then running with (inside docker), is the following. (Where /data/mongo is the location generated to above).

net:
  port: 27017
  ssl:
    mode: requireSSL
    CAFile: /data/mongo/ca.crt
    PEMKeyFile: /data/mongo/server.pem
    allowInvalidHostnames: true
setParameter:
   enableLocalhostAuthBypass: true

and running via

mongo --config config/location

Connecting to mongo I then try to connect to the server using the mongo command line as follows.

mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt

And get the following output

MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK  [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK  [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:229:14
@(connect):1:6

exception: connect failed
jimmiebtlr
  • 438
  • 4
  • 14
  • 1
    That's kind of weird. The MongoDB documentation states MongoDB does not validate hostnames for self signed certificates: *"[when using a self-signed certificate] ... there will be no validation of server identity"*. See [Configure mongod and mongos for TLS/SSL](https://docs.mongodb.com/manual/tutorial/configure-ssl/) in the manual. – jww Jul 20 '17 at 17:46
  • 1
    ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Jul 20 '17 at 17:47
  • I don't think I fully understand how to do this? Does that go in each of the subj args? – jimmiebtlr Jul 21 '17 at 08:20

1 Answers1

1

Got it! Basically it needed more data in the subject line, or CN needed to be ROOTCA for the CA. Anyone that could comment on why would be appreciated.

#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"

# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"


# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"

# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# Create server PEM file
cat server.key server.crt > server.pem


# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"

# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt

# Create client PEM file
cat client.key client.crt > client.pem

Some related resources if anyone is having similar troubles

Answer was found/taken from

https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh

An stack exchange ticket almost identical to mine can also be found at

https://dba.stackexchange.com/questions/151251/mongodb-error-self-signed-certificate-in-certificate-chain?newreg=20bca440682842c085a8764dd7c91e96

jimmiebtlr
  • 438
  • 4
  • 14