Open gl00ten opened 9 years ago
One thing to note, when I created the .pem file, the instructions were for a local certificate:
"For testing purposes, you can generate a self-signed certificate and private key on a Unix system with a command that resembles the following"
from here: http://docs.mongodb.org/manual/tutorial/configure-ssl/
and my elasticsearch is on another machine (hosted on qbox).
Did you find a solution for this?
I think so, the solution became more apparent when we realized instead of:
mongo --host hostname --port 27000 --ssl --sslPEMKeyFile /etc/ssl/mongodb.pem
one can just use:
mongo --host hostname --port 27000 --ssl
and ssl takes care of the negotiation, I think.
Then, we just repeated the above trusting ssl to do the same thing with river, and recheck our firewall ports and it seems to be work. Will test further tomorrow.
You had any advice?
I was just wondering if you could resolve the issue as I am planning to setup SSL for MongoDB.
When you just use --ssl option, how does the mongod instance look for .pem file? Did you add sslPEMKeyFile property in mongod.conf?
mongo
is the shell that connects to a running mongod
Dont confuse them. :)
As you can see above, I used the .pem file to run the mongod
instances. But I'm not really sure why that is necessary as then I can connect to them without referencing a .pem file.
I'm not sure how this is working in the background, but imagine that with just using the --ssl
parameter to connect to mongod, the peers trade their public keys before they start talking to each other. This seems true for both mongo
and elasticsearch-river-mongodb
I imagine that the .pem file is there so you can have your connection certified by a third party. But then again, that doesn't make much sense because such a file is mandatory and not optional, when starting a mongod
with ssl enabled.
So to answer your questions: I'm not sure how or if mongo
looks for the .pem file. I'm sure it can't do that from an external machine and it still works, so I'm guessing it doesn't actually use it. And no, I did not add a property to mongod.conf, although that may have been generated from my instantiation.
Of course this all has the fundamental problem that in this setup anyone can just mongo --ssl
into my machine. <- (this issue is still open because of this)
Hope this helps you, I'm still a bit confused myself :)
@fullmooninu What's your sslMode for mongod? requireSSL, preferSSL or allowSSL?
@linusyong it's up there, requireSSL
So I created a certifcate with these instructions:
http://docs.mongodb.org/manual/tutorial/configure-ssl/
shortly:
I initiated my mongod proccesses
I successfully connected to them with the .pem file and
then inside mongo i initiated the replicate set
and from a shell I configured my river with this:
But as expected it won't work because it doesn't have the .pem key. What do I do?