0

I'm working on configuring my Mongo 4.2 with TLS using minikube.

These are my arguments: --auth --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb-test-ca.crt --tlsCAFile /etc/ssl/test-ca.pem --oplogSize 32 --quiet --replSet myreplicaset --logpath /dev/stdout

I'm getting this error:

cannot read certificate file: /etc/ssl/mongodb-test-ca.key error:0909006C:PEM routines:get_name:no start line

It looks like there is some problem with the .pem files that I'm using. To configure them, I've followed the instructions here https://www.mongodb.com/docs/manual/appendix/security/appendixA-openssl-ca/

More specifically, the commands I've used are, after creating that openssl-test-ca.cnf file that they suggest are:

openssl genrsa -out mongodb-test-ca.key 4096
openssl req -new -x509 -days 1826 -key mongodb-test-ca.key -out mongodb-test-ca.crt -config openssl-test-ca.cnf
openssl genrsa -out mongodb-test-ia.key 4096
openssl req -new -key mongodb-test-ia.key -out mongodb-test-ia.csr -config openssl-test-ca.cnf
openssl x509 -sha256 -req -days 730 -in mongodb-test-ia.csr -CA mongodb-test-ca.crt -CAkey mongodb-test-ca.key -set_serial 01 -out mongodb-test-ia.crt -extfile openssl-test-ca.cnf -extensions v3_ca
cat mongodb-test-ca.crt mongodb-test-ia.crt  > test-ca.pem

What am I doing wrong? One idea is that the files that I'm using were not the correct ones, but I'm only seeing one .pem file on my process, the test-ca.pem. For the key tlsCertificateKeyFile I've tested also mongodb-test-ca.key and mongodb-test-ia.key without success

Carabes
  • 532
  • 2
  • 4
  • 16

2 Answers2

1

You must create the .pem like this:

cat mongodb-test-ia.crt mongodb-test-ia.key > mongodb-test-ia.pem

and then run mongod with

--tlsCertificateKeyFile /etc/ssl/mongodb-test-ia.pem --tlsCAFile /etc/ssl/test-ca.crt

In order to test the certificates you can also use openssl. Try

openssl verify -CAfile /etc/ssl/mongodb-test-ca.crt /etc/ssl/mongodb-test-ia.pem

Or if you like to do it a bit more advanced, open a shell and enter

openssl s_server -cert /etc/ssl/mongodb-test-ia.pem

Then open another shell and use

openssl s_client -CAfile /etc/ssl/mongodb-test-ca.crt -quiet -no_ign_eof -status <<< Q

See also How Security in MongoDB works (using x.509 cert)

Wernfried Domscheit
  • 54,457
  • 9
  • 76
  • 110
0

Just had another look at your question. In total you need to create 3 certificates.

  1. The (self singed) CA

    In many cases you create a Root CA and a Intermediate CA. In principle and for testing purpose it is fully sufficient to create only the Root CA, see https://security.stackexchange.com/questions/128779/why-is-it-more-secure-to-use-intermediate-ca-certificates

  2. The Server certificate (singed and verified by above CA)

  3. The Client certificate (singed and verified by above CA)

My personal advise: First create the CA and the server certificate, use only openssl to make it working. Once you achieved that, try to make it working with MongoDB. Then you can continue with the client certificate.

Wernfried Domscheit
  • 54,457
  • 9
  • 76
  • 110