search

zodern / meteor-up

Production Quality Meteor Deployment to Anywhere
http://meteor-up.com/
MIT License
1.28k stars 279 forks source link

Specifying a MongoDB tlsCAFile option #1277

Open SachaG opened 2 years ago

SachaG commented 2 years ago

I'm trying to connect to a DigitalOcean MongoDB instance, which requires providing a certificate file in the form of a tlsCAFile option added to the MONGO_URL connection string.

The issue is that I don't know where to put that file or how to reference it. I tried putting it in my DO instance's root directory but then got a permission denied, open '/root/ca-certificate.crt' error. I guess the app doesn't run as root when it needs to load that file, since it's inside a Docker container? How can I make this work?

SachaG commented 2 years ago

Any advice on this?

jamesgibson14 commented 2 years ago

Hi Sacha, I use mup as well and connect to DigitalOcean's new MongoDB, I store the cert in the meteor private folder: "private/DO-ca-certificate.crt", and then add to the settings file the following: 

"packages": {
    "mongo": {
      "options": {
        "tls": true,
        "tlsCAFileAsset": "DO-ca-certificate.crt"
      }
    }
  }
SachaG commented 2 years ago

Oh thanks! So if you do this you can drop the tlsCAFile option from the MONGO_URL env variable?

RobGordon406 commented 2 years ago

Hi James, Thanks for the info.

I'm also having an issue trying to get an existing application connecting to Digital Ocean MongoDB

From local shell, I can connect to the Mongo database using this command mongo "mongodb+srv://user:password@blah.mongo.ondigitalocean.com/admin?otherSettings" --tls --tlsCAFile /pathTo/ca-certificate.crt

But I get this error when I try to run the application

image
jamesgibson14 commented 2 years ago

Yeah, so I use this flag on the MONGO_URL: &tlsAllowInvalidCertificates=true and it seems to be the only thing that gets it to work. @RobGordon406 I am not sure if that will solve your specific issue. I have about 20 apps connect to DigitalOcean now, so it does work. Also if you are interested I use SolarWinds DPM ( VividCortex ) for monitoring the MongoDB, I had to work with their tech support to get the monitoring working because of the TLS but we did get it eventually.

RobGordon406 commented 2 years ago

@jamesgibson14 Thanks - &tlsAllowInvalidCertificates=true did the trick!

arggh commented 2 years ago

I'm trying to test the tlsCAFileAsset setting, and running the app locally with meteor it seems to work. However, when deploying the app (running Meteor 2.6.1, Mup version 1.5.5) with mup, I get:

2022-03-14 23:25:07 | path: '/built_app/programs/server/assets/app/ca.pem'
-- | --
  |   | 2022-03-14 23:25:07 | code: 'ENOENT',
  |   | 2022-03-14 23:25:07 | syscall: 'open',
  |   | 2022-03-14 23:25:07 | errno: -2,
  |   | 2022-03-14 23:25:07 | at module (packages/test:logger/server.js:1:743) {
  |   | 2022-03-14 23:25:07 | at Module.moduleLink [as link] (/built_app/programs/server/npm/node_modules/meteor/modules/node_modules/@meteorjs/reify/lib/runtime/index.js:52:22)
  |   | 2022-03-14 23:25:07 | at Module.require (packages/modules-runtime.js:238:14)
  |   | 2022-03-14 23:25:07 | at fileEvaluate (packages/modules-runtime.js:336:7)
  |   | 2022-03-14 23:25:07 | at module (packages/test:logger/collection.js:3:21)
  |   | 2022-03-14 23:25:07 | at new Collection (packages/mongo/collection.js:106:40)
  |   | 2022-03-14 23:25:07 | at Object.defaultRemoteCollectionDriver (packages/underscore.js:784:19)
  |   | 2022-03-14 23:25:07 | at Object.<anonymous> (packages/mongo/remote_collection_driver.js:37:10)
  |   | 2022-03-14 23:25:07 | at new MongoInternals.RemoteCollectionDriver (packages/mongo/remote_collection_driver.js:4:16)
  |   | 2022-03-14 23:25:07 | at new MongoConnection (packages/mongo/mongo_driver.js:184:3)
  |   | 2022-03-14 23:25:07 | at new MongoClient (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/mongo_client.js:62:63)
  |   | 2022-03-14 23:25:07 | at parseOptions (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:296:9)
  |   | 2022-03-14 23:25:07 | at setOption (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:432:36)
  |   | 2022-03-14 23:25:07 | at transform (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:917:23)
  |   | 2022-03-14 23:25:07 | at Object.readFileSync (fs.js:393:35)
  |   | 2022-03-14 23:25:07 | at Object.openSync (fs.js:497:3)
  |   | 2022-03-14 23:25:07 | Error: ENOENT: no such file or directory, open '/built_app/programs/server/assets/app/ca.pem'

EDIT: It seems the problem could be that the package test:logger is trying to create a Mongo collection, but since packages cannot access assets outside of the package itself, it fails to find the required certificate file. However, I can't get rid of the error by simply deleting any Mongo-related code from the test:logger package. I still get the errors from packages/test:logger/collection.js, which now no longer exists in the code base. I tried removing all temp builds from cache and deleting .meteor/local, didn't help 🤷

promentol commented 2 years ago

tlsAllowInvalidCertificates=true is not working anymore!!! Digital ocean has started to require always working file

@jamesgibson14, do you have any workaround by a chance?

jamesgibson14 commented 2 years ago

It is still working for me.