Hey there,
I’ve been able to setup my MongoDB server on GCP and as far as I can tell it should be fully secured via a TLS certificate created via Let’s Encrypt & certbot but for some reason I’m still able to connect without supplying any TLS certificate…
My /etc/mongod.conf file looks like this
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
# engine:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongo.pem
allowInvalidCertificates: false
allowInvalidHostnames: false
allowConnectionsWithoutCertificates: false
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
I’ve got the security.authorization enabled, the tls.mode set to requireTLS, I’m explicitly disallowing invalid certificates, hostnames or connections without certificates yet I can still access my server both on the server itself and externally from my home network without any issues if I simply use the command mongosh --tls --tlsAllowInvalidHostnames 1.2.3.4
What am I missing here? Why isn’t my server refusing these connections? I can at least confirm that I’m not able to do much until I run db.auth()
to login to a user but still, I shouldn’t even be able to get connected without a certificate… How do I resolve this?
My mongod
version is v6.0.3 and the mongosh
version is 1.6.1, I’m running a VM inside GCP with Debian GNU/Linux 11
Greets,
Miley