Hello Guys,
since 3 days I am fighting with a TLS setup for my mongodb setup, i am runnuing a mongo 7 docker image on my windows PC for local development and want to do a running setup for production deployment later.
My problem is that i have setup a private key and certifcate for the mongodb itself and created a CA on top.
I have tried many varations of permissions, but not a single of my tries seems to work for me.
The following 3 lines i get in the log files of mongodb before the docker container stops working.
{"t":{"$date":"2023-09-07T20:47:52.530+00:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"main","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2023-09-07T20:47:52.534+00:00"},"s":"E", "c":"NETWORK", "id":23251, "ctx":"main","msg":"Cannot read PEM key","attr":{"keyFile":"/certificates/mongodb-cert.pem","error":"error:00000000:lib(0)::reason(0)"}}
{"t":{"$date":"2023-09-07T20:47:52.535+00:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}
is there anyone who can help me with a working solution.
this is my mongo.conf
security:
authorization: enabled
keyFile: /certificates/mongodb-key.pem # Path to your private key
clusterAuthMode: x509
net:
port: 27017
bindIp: 0.0.0.0
tls:
mode: requireTLS
certificateKeyFile: /certificates/mongodb-cert.pem # Path to your certificate
certificateKeyFilePassword: "secret"
CAFile: /certificates/ca-cert.pem
systemLog:
destination: file
path: /var/log/mongodb/mongod.log
logAppend: true
and here the docker-compose.json
version: "3.8"
services:
node_1:
hostname: node_1
container_name: mongodb_node_1
image: mongo:7
restart: no
expose:
- 27017
ports:
- "27010:27017"
networks:
- private
user: "mongodb"
environment:
- "MONGO_INITDB_ROOT_USERNAME=admin"
- "MONGO_INITDB_ROOT_PASSWORD=secret"
volumes:
- .\node_1:/data/db
- .\node_1_logs:/var/log/mongodb
- .\mongod.conf:/etc/mongod.conf:ro
- .\ca:/certificates
#entrypoint: [ "/usr/bin/mongod", "--config", "/etc/mongod.conf" ]
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.tcp.routers.mongo-n1.rule=HostSNI(`mongo-n1.domain.local`)"
- "traefik.tcp.routers.mongo-n1.entrypoints=mongo"
- "traefik.tcp.routers.mongo-n1.service=mongo-n1"
- "traefik.tcp.services.mongo-n1.loadbalancer.server.port=27017"
- "traefik.tcp.routers.mongo-n1.tls.passthrough=true"
networks:
private:
external: true
name: traefik_network
and this is the way I’ve created my self signed certificates:
# Generate Certificate
openssl req -x509 -newkey rsa:4096 -keyout /certificates/mongodb-key.pem -out /certificates/mongodb-cert.pem -days 365 -subj "$KGP" -passout "pass:$PW"
# Generate CA
openssl genpkey -algorithm RSA -out /certificates/ca-key.pem
openssl req -new -x509 -key /certificates/ca-key.pem -out /certificates/ca-cert.pem -subj "$KGP"
# Change Permissions
chown mongodb:mongodb /certificates/*.pem
chmod 400 /certificates/*.pem
I hope you guys could help me