3

In order for me to connect to this [secure] Mongo instance I have to run the following command:

mongo --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509

I am trying to do a mongodump command to get the data but I keep running into the following errors:

Attempt 1

mongodump -d mydb

Failed: error connecting to db server: no reachable servers

Attempt 2 Can't create backup mongodump with --db. Authentication failed

mongodump -d mydb --authenticationDatabse '$external'

Failed: error connecting to db server: no reachable servers

Attempt 3 Using the same command as how I connect.

mongodump -d mydb --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509

Failed: error getting collections for database 'mydb': error running 'listCollections'. Database: 'mydb' Err: not authorized on 'mydb' to execute command {listCollections: 1, cursor: {} }

I have tried the same command with sudo but it still returns the same error.

Attempt 4 Minimum permission for using mongodump (to dump a specific db)

mongodump -d mydb --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509 --excludeCollection=system.indexes

Failed: error getting collections for database 'mydb': error running 'listCollections'. Database: 'mydb' Err: not authorized on 'mydb' to execute command {listCollections: 1, cursor: {} }

I am stuck and I am eventually going to run mongorestore but I do not want to run this without making sure I am able to backup first. I imagine the solution for mongodump will resolve any possible issues I may have with mongorestore (if any).

Community
  • 1
  • 1
Joey
  • 1,724
  • 3
  • 18
  • 38
  • Shot in the dark, here, but have you tried `--sslAllowInvalidCertificates` or `--sslAllowInvalidHostnames`? – Adam Mar 24 '17 at 18:14
  • @Adam I just tried adding both headers (and each separately) but it still returns the same error: `Failed: error getting collections ... etc.` – Joey Mar 24 '17 at 19:00
  • Ok, thanks. Two more suggestions for debugging: 1) could you try to dump a specific collection within your db? Use the `--collection` flag. 2) I'm not very experienced with `--authenticationDatabase` so this may be a moot point, but could you make sure that the user has admin privileges? – Adam Mar 24 '17 at 19:14
  • The first point it gives back: `Failed: error counting mydb.fruits: not authorized on mydb to execute command { count: "fruits", query: { } }`. However, according to the admin db table `system.users` I have the `dbOwner` role. – Joey Mar 24 '17 at 19:45
  • very weird. When you login using `mongo --ssl --host sampleHostname --sslPEMKeyFile /path/to/user.pem --sslCAFile /path/to/mongoca.cer --authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509` can you execute `mydb.fruits.find(yourQuery).count()`? – Adam Mar 24 '17 at 21:38
  • 1
    @Joey I suspect there is something wrong with your user's permissions; does it _definitely_ have the role _dbOwner_ for the _mydb_ database? Remember everything is case-sensitive. – Vince Bowdren Mar 25 '17 at 22:43
  • 1
    @Adam yeah that returns 25. – Joey Mar 27 '17 at 13:35
  • 1
    @VinceBowdren there are only 2 users in the system.users. An admin user with one role of `"userAdminAnyDatabase"` for the `admin` db and another user (me) who has 2 roles. A role of `"dbOwner"` for the `mydb` db and a `"readWrite"` for the `mydb` db. – Joey Mar 27 '17 at 13:38
  • @Joey I have the exact same problem, found no solution so far, any progress on your side ? – jocelyn Apr 10 '17 at 15:04

1 Answers1

1

I found the solution thanks to this blog post , looks you have to set the -u value with the CN when using 509 and $external.

mongodump --ssl --sslPEMKeyFile user.pem --sslCAFile cap.pem --sslAllowInvalidHostnames --authenticationMechanism=MONGODB-X509 --authenticationDatabase '$external'  --host "rsTmpCloudManager/10.100.15.118:27017,10.100.16.237:27017,10.100.17.107:27017" -d testJoce -u "CN=???,OU=???,O=???,L=???,ST=???,C=??"
jocelyn
  • 788
  • 6
  • 12