search

Uberspace / lab

The Uberlab provides various tutorials - written by you! - on how to run software and tools on Uberspace 7.
https://lab.uberspace.de
Other
315 stars 414 forks source link

[MongoDB] Starting mongod with TLS now requires specifying a certificate authority #1756

Open nichtmax opened 5 months ago

nichtmax commented 5 months ago

See Issue

Probably setting tlsUseSystemCA to true does the trick.

remarcable commented 2 months ago

I've set the parameter as you suggested:

[program:mongodb]
command=mongod
  --dbpath %(ENV_HOME)s/mongodb
  --bind_ip 0.0.0.0
  --port 45500
  --auth
  --unixSocketPrefix %(ENV_HOME)s/mongodb
  --tlsMode requireTLS
  --setParameter tlsUseSystemCA=true
  --sslPEMKeyFile %(ENV_HOME)s/mongodb/%(ENV_USER)s.uber.space.pem
autostart=yes
autorestart=yes
# `startsecs` is set by Uberspace monitoring team, to prevent a broken service from looping
startsecs=30

But the client still doesn't connect with the following logs after running supervisorctl tail mongodb:

:"I",  "c":"NETWORK",  "id":22988,   "ctx":"conn100","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"no SSL certificate provided by peer; connection rejected"},"remote":"193.190.242.4:27514","connectionId":100}}
{"t":{"$date":"2024-07-09T16:07:11.342+02:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn100","msg":"Connection ended","attr":{"remote":"193.190.242.4:27514","uuid":"cb4e820d-ddce-4cf0-97ae-448ccba0dc3b","connectionId":100,"connectionCount":0}}
{"t":{"$date":"2024-07-09T16:07:11.889+02:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"193.190.242.4:2545","uuid":"8cf80756-06bb-4942-af59-f0e61c65d741","connectionId":101,"connectionCount":1}}
{"t":{"$date":"2024-07-09T16:07:11.939+02:00"},"s":"E",  "c":"NETWORK",  "id":23255,   "ctx":"conn101","msg":"No SSL certificate provided by peer; connection rejected"}
{"t":{"$date":"2024-07-09T16:07:11.939+02:00"},"s":"I",  "c":"NETWORK",  "id":22988,   "ctx":"conn101","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"no SSL certificate provided by peer; connection rejected"},"remote":"193.190.242.4:2545","connectionId":101}}
{"t":{"$date":"2024-07-09T16:07:11.939+02:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn101","msg":"Connection ended","attr":{"remote":"193.190.242.4:2545","uuid":"8cf80756-06bb-4942-af59-f0e61c65d741","connectionId":101,"connectionCount":0}}

Does that mean I need to provide an SSL certificate while connecting? Or is it something else?

Edit: This Stackoverflow answer solved the problem for me. I didn't specify my own certificate – so adding the line --tlsAllowInvalidCertificates solved the issue:

[program:mongodb]
command=mongod
  --dbpath %(ENV_HOME)s/mongodb
  --bind_ip 0.0.0.0
  --port 45500
  --auth
  --unixSocketPrefix %(ENV_HOME)s/mongodb
  --tlsMode requireTLS
  --setParameter tlsUseSystemCA=true
  --tlsAllowConnectionsWithoutCertificates
  --sslPEMKeyFile %(ENV_HOME)s/mongodb/%(ENV_USER)s.uber.space.pem
autostart=yes
autorestart=yes
# `startsecs` is set by Uberspace monitoring team, to prevent a broken service from looping
startsecs=30