I am trying to set up a stand alone mongod
server using X509
and then connect to it from mongo shell
. Below is a description of what I do. It all goes well up to a certain point, but when I reach the time to launch mongo shell, troubles show up. Since I am no mongodb expert and neither am I an openssl guru, I may well be making some basic mistake on the way. I hope someone with more experience will take a look and shed some light on the issue.
The root CA certificate (RootCA.pem) is created here, using:
$ openssl req -x509 -newkey rsa:4096 -days 3653 -keyout RootCA.key.pem -out RootCA.pem -subj /C=US/ST=NY/O=RootCA
Then an intermediate certificate (IntermedCA.pem) is created, using:
$ openssl req -config openssl.cnf -new -newkey rsa:4096 -nodes -keyout IntermedCA.key.pem -out IntermedCA.req.pem -subj /C=US/ST=DC/O=IntermedCA
$ openssl x509 -req -days 1096 -in IntermedCA.req.pem -CA RootCA.pem -CAkey RootCA.key.pem -extfile openssl.cnf -extensions v3_ca -set_serial 01 -out IntermedCA.pem
A server certificate (Server.pem) is created, using:
$ openssl req -new -newkey rsa:4096 -nodes -keyout Server.key.pem -out Server.req.pem -subj /C=US/ST=CA/O=ServerCA
$ openssl x509 -req -days 365 -in Server.req.pem -CA IntermedCA.pem -CAkey IntermedCA.key.pem -extensions v3_ca -set_serial 01 -out Server.pem
A client certificate (Client.pem) is created, using:
$ openssl req -new -newkey rsa:4096 -nodes -keyout Client.key.pem -out Client.req.pem -subj /C=US/ST=MA/O=ClientCA
$ openssl x509 -req -days 365 -in Client.req.pem -CA IntermedCA.pem -CAkey IntermedCA.key.pem -extensions v3_ca -set_serial 01 -out Client.pem
The trust chain (TrustChain.pem) for the verification is created, using:
$ cat IntermedCA.pem RootCA.pem > TrustChain.pem
We must then create a certificate of an adequate shape for mongod to work, using:
$ cat Server.key.pem Server.pem > Server.cert
The order of Server.key.pem and Server.pem in the command above does not matter.
The mongod server can then be launched using:
$ mongod --tlsMode requireTLS --tlsCertificateKeyFile Server.cert --tlsCAFile IntermedCA.pem --dbpath /mnt/mongoDB-One/DB_X509 --logpath /mnt/mongoDB-One/DB_X509/mongod.log --fork
Up to this point, all seems to be working perfectly, as far as I can see.
To check, I run:
$ ps -ef | grep mongod
ubuntu 2142 1 1 13:39 ? 00:00:31 mongod --tlsMode requireTLS --tlsCertificateKeyFile Server.cert --tlsCAFile IntermedCA.pem --dbpath /mnt/mongoDB-One/DB_X509 --logpath /mnt/mongoDB-One/DB_X509/mongod.log --fork
ubuntu 2365 2124 0 14:14 pts/0 00:00:00 grep --color=auto mongod
$
and also:
$ sudo netstat -tulpn | grep mongod
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2142/mongod
$
Then I do for the client the same as I did for the server:
$ cat Client.key.pem Client.pem > Client.cert
And then I try to launch mongo shell, using:
$ mongo --tls --tlsCertificateKeyFile Client.cert --tlsCAFile IntermedCA.pem
MongoDB shell version v4.4.2
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
{“t”:{“$date”:“2021-01-10T14:18:31.198Z”},“s”:“E”, “c”:“NETWORK”, “id”:23256, “ctx”:“js”,“msg”:“SSL peer certificate validation failed”,“attr”:{“error”:“SSL peer certificate validation failed: unable to get issuer certificate”}}
Error: couldn’t connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get issuer certificate :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1
$
As one can see, this last command fails.
And this is the log:
$ tail -3 /mnt/mongoDB-One/DB_X509/mongod.log
{“t”:{“$date”:“2021-01-10T14:18:31.201+00:00”},“s”:“E”, “c”:“NETWORK”, “id”:23256, “ctx”:“conn6”,“msg”:“SSL peer certificate validation failed”,“attr”:{“error”:“SSL peer certificate validation failed: unable to get issuer certificate”}}
{“t”:{“$date”:“2021-01-10T14:18:31.201+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:22988, “ctx”:“conn6”,“msg”:“Error receiving request from client. Ending connection from remote”,“attr”:{“error”:{“code”:141,“codeName”:“SSLHandshakeFailed”,“errmsg”:“SSL peer certificate validation failed: unable to get issuer certificate”},“remote”:“127.0.0.1:58650”,“connectionId”:6}}
{“t”:{“$date”:“2021-01-10T14:18:31.201+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:22944, “ctx”:“conn6”,“msg”:“Connection ended”,“attr”:{“remote”:“127.0.0.1:58650”,“connectionId”:6,“connectionCount”:0}}
$
One last detail which may be useful:
Running this command:
$ openssl verify -CAfile TrustChain.pem X
Where X is in the set: {
Server.pem, Server.cert, Client.pem, Client.cert,
IntermedCA.pem, RootCA.pem}
always returns:
X: OK