voxpupuli / puppet-mongodb

mongodb installation
Apache License 2.0
93 stars 451 forks source link

Creating Replsets,Database and Users with TLS #763

Open svbroeker opened 6 months ago

svbroeker commented 6 months ago

I've discoverd a problem with creating replicasets, databases and users when TLS is enabled and the certificates doesn't include 127.0.0.1 as name. The mongosh command is using 127.0.0.1 as host to connect but this is not working because the connection via tls doesn't work because the 127.0.0.1 isn't in.

This happens because the listening IPs are used for connections here: https://github.com/voxpupuli/puppet-mongodb/blob/f1affe420cbecbfe615eb25f41cc748384a317cc/lib/puppet/provider/mongodb.rb#L85 this works for nonTLS setups fine but with TLS it may break sometimes.

I think a solution can be that you can define the host for the mongosh to connect to mongodb. In my case it would help that he uses the fqdn to connect.

Error: /Stage[main]/Mongodb::Replset/Mongodb_replset[mongodb-standalone-cm12-dev]: Could not evaluate: Can't connect to any member of replicaset mongodb-standalone-cm12-dev. Error: Could not prefetch mongodb_database provider 'mongodb': Execution of '/usr/bin/mongosh admin --quiet --host 127.0.0.1:27017 --tls --tlsCertificateKeyFile /etc/ssl/mongo/server.pem --eval db.isMaster().ismaster' returned 1: MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list: I've now made the work around to set allowInvalidHostnames: true but thats not a good way to handle this.

svbroeker commented 6 months ago

I've an idea to fix this issue but i dont have the experience to know if that works for all cases.

  def self.conn_string
    config = mongo_conf
    bindip = config.fetch('bindip')
    if bindip
      first_ip_in_list = bindip.split(',').first
      ip_real = case first_ip_in_list
                when '0.0.0.0'
                  Facter.value(:fqdn)
                when %r{\[?::0\]?}
                  '::1'
                else
                  first_ip_in_list
                end
    end
stevenpost commented 4 months ago

Isn't this going to be an issue when auth is enabled, as the initial setup needs to happen using localhost? That was the reason I changed the code to how it is now.

stevenpost commented 4 months ago

FWIW, my script to create the certificates adds 127.0.0.1 for this reason. So not sure how to get around this.