【问题标题】:MongoDB Shell connection errors using test self signed certificates使用测试自签名证书的 MongoDB Shell 连接错误
【发布时间】:2020-04-17 17:17:51
【问题描述】:

我正在尝试使用自签名证书测试 mongoDB 安装。我按照 mongoDB 文档中的说明使用每个页面上的复制链接创建“pem”文件:

Appendix A - OpenSSL CA Certificate for Testing
Appendix B - OpenSSL Server Certificates for Testing
Appendix C - OpenSSL Client Certificates for Testing

我这样更新了 /etc/mongod.conf:

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
    allowConnectionsWithoutCertificates: true
    allowInvalidHostnames: true
    allowInvalidCertificates: true
    CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt

最初我没有“允许”选项,但它们没有任何区别,所以我暂时离开。

运行 mongodb shell 会导致这个错误:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E  QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-04-17T17:07:25.812+0000 F  -        [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E  -        [main] exiting with code 1
root@ip-10-0-3-61:~/mongo-cert#

如果我在命令中添加“--tlsAllowInvalidCertificates”,它会起作用:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem  --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>


I have read other people who have followed the mongodb instructions successfully. 

I just do not understand what I have done wrong.

【问题讨论】:

    标签: mongodb openssl ssl-certificate


    【解决方案1】:

    除了客户端证书之外,您还需要将 CA 文件提供给 mongo--tlsCAFile 选项)。

    当使用 TLS 启用完整验证时,服务器和客户端都会验证对方的证书。这意味着两者都必须有权访问用于签署叶证书的 CA 证书。

    【讨论】:

      猜你喜欢
      • 2020-08-25
      • 1970-01-01
      • 2019-04-24
      • 1970-01-01
      • 1970-01-01
      • 2016-09-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多