0

I am trying to test a mongoDB installation with self signed certificates. I followed the instructions in the mongoDB documentation for creating the 'pem' files using the copy links on each page:

Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing

I updated the /etc/mongod.conf as such:

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
    allowConnectionsWithoutCertificates: true
    allowInvalidHostnames: true
    allowInvalidCertificates: true
    CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt

Originally I did not have the 'allow' option, but they do not make a difference so I am leaving the in for now.

Running the mongodb shell results in this error:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E  QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-04-17T17:07:25.812+0000 F  -        [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E  -        [main] exiting with code 1
root@ip-10-0-3-61:~/mongo-cert#

If I add the '--tlsAllowInvalidCertificates' in the command it works:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem  --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>


I have read other people who have followed the mongodb instructions successfully. 

I just do not understand what I have done wrong.
Brian Grier
  • 13
  • 3

1 Answers1

0

You need to provide the CA file to mongo also (the --tlsCAFile option), in addition to the client certificate.

When full verification is enabled with TLS both server and client validate the other's certificate. This means both must have access to the CA cert used for signing the leaf certs.

D. SM
  • 13,584
  • 3
  • 12
  • 21