Unable to Connect to MongoDB with TLS and Authentication

Ops and Admin Replication
, , ,
1

Issue: Unable to Connect to MongoDB with TLS and Authentication

MongoDB Setup:

I’m running MongoDB on a Docker container, and I’ve enabled TLS/SSL and role-based access control (RBAC) with internal authentication. Here’s an outline of my setup:

MongoDB Version: 6.x (Running in Docker)

mongod.conf Configuration:

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongo.pem   # Combined certificate and private key
    CAFile: /etc/ssl/ca.pem                  # Certificate Authority file
    allowConnectionsWithoutCertificates: false

security:
  authorization: "enabled"                   # Enabling Role-Based Access Control (RBAC)
  keyFile: /etc/rs_keyfile                   # Path to key file for replica set authentication

systemLog:
  destination: file
  path: /var/log/mongodb/mongod.log
  logAppend: true
  verbosity: 2

Certificates:

  • mongo.pem: Contains the server certificate and private key.
  • ca.pem: Contains the CA certificate that signed mongo.pem.

Docker Compose:

MongoDB is running in a Docker container, and I have generated the required PEM files using openssl.

How I Start MongoDB:

I start MongoDB with the above configuration using Docker. Everything seems to start correctly, but when I try to connect to MongoDB using mongosh with TLS, I encounter connection issues.

Error When Connecting:

I attempt to connect using the following command:

mongosh --tls --tlsCAFile /etc/ssl/ca.pem --tlsCertificateKeyFile /etc/ssl/mongo.pem --host 127.0.0.1 --port 27017

However, I get the following error:
MongoServerSelectionError: connection to 127.0.0.1:27017 closed

When using --tlsAllowInvalidHostnames, I still can’t establish a successful connection.

Additional Information:

  1. I confirmed the certificates using openssl verify and openssl s_client, and they seem valid.
  2. Error in Log Files: I noticed the following errors in the MongoDB logs:
  • User assertion "NotYetInitialized: no replset config has been received"
  • Unable to retrieve storageStats in $collStats stage :: caused by :: Collection [local.oplog.rs] not found

Questions:

  1. Certificate Setup: Is there any issue with how I’ve generated or configured the certificates for MongoDB?
  2. Hostname Issue: How can I properly resolve the “hostname mismatch” issue for local connections when using TLS?
  3. Replica Set Configuration: Even though I haven’t enabled replication, I still see replica set errors. Could this be related to the issue?

Thanks in advance for any help!