requireTLS doesn't seem to actually require it

Hey there,

I’ve been able to setup my MongoDB server on GCP and as far as I can tell it should be fully secured via a TLS certificate created via Let’s Encrypt & certbot but for some reason I’m still able to connect without supplying any TLS certificate…

My /etc/mongod.conf file looks like this

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
#  engine:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongo.pem
    allowInvalidCertificates: false
    allowInvalidHostnames: false
    allowConnectionsWithoutCertificates: false

# how the process runs
processManagement:
  timeZoneInfo: /usr/share/zoneinfo

security:
  authorization: enabled

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

I’ve got the security.authorization enabled, the tls.mode set to requireTLS, I’m explicitly disallowing invalid certificates, hostnames or connections without certificates yet I can still access my server both on the server itself and externally from my home network without any issues if I simply use the command mongosh --tls --tlsAllowInvalidHostnames 1.2.3.4

What am I missing here? Why isn’t my server refusing these connections? I can at least confirm that I’m not able to do much until I run db.auth() to login to a user but still, I shouldn’t even be able to get connected without a certificate… How do I resolve this?

My mongod version is v6.0.3 and the mongosh version is 1.6.1, I’m running a VM inside GCP with Debian GNU/Linux 11

Greets,
Miley

Small update,

I’ve added CAFile: /etc/ssl/mongoCA.pem to my conf file and this CA was generated via

cat /etc/letsencrypt/live/[domain]/chain.pem >> /etc/ssl/mongoCA.crt

according to this. It’s now at least rejecting the conections without any certificate but when I try to connect I get the following error:

MongoServerSelectionError: unable to get issuer certificate

And when I try to connect with the command

mongosh --tls --tlsCertificateKeyFile /etc/ssl/mongo.pem --tlsCertificateSelector

I get the error

MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list:

Which doesn’t seem to get fixed with adding --host [domain] to the command, then it simply waits and closes the connection