Question 185288 in Mongodb Question posted in
The official documentation can be found here.

Mongodb – Configure Mongo with TLS

I’m working on configuring my Mongo 4.2 with TLS using minikube.

These are my arguments: --auth --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb-test-ca.crt --tlsCAFile /etc/ssl/test-ca.pem --oplogSize 32 --quiet --replSet myreplicaset --logpath /dev/stdout

I’m getting this error:

cannot read certificate file: /etc/ssl/mongodb-test-ca.key error:0909006C:PEM routines:get_name:no start line

It looks like there is some problem with the .pem files that I’m using. To configure them, I’ve followed the instructions here https://www.mongodb.com/docs/manual/appendix/security/appendixA-openssl-ca/

More specifically, the commands I’ve used are, after creating that openssl-test-ca.cnf file that they suggest are:

openssl genrsa -out mongodb-test-ca.key 4096
openssl req -new -x509 -days 1826 -key mongodb-test-ca.key -out mongodb-test-ca.crt -config openssl-test-ca.cnf
openssl genrsa -out mongodb-test-ia.key 4096
openssl req -new -key mongodb-test-ia.key -out mongodb-test-ia.csr -config openssl-test-ca.cnf
openssl x509 -sha256 -req -days 730 -in mongodb-test-ia.csr -CA mongodb-test-ca.crt -CAkey mongodb-test-ca.key -set_serial 01 -out mongodb-test-ia.crt -extfile openssl-test-ca.cnf -extensions v3_ca
cat mongodb-test-ca.crt mongodb-test-ia.crt  > test-ca.pem

What am I doing wrong? One idea is that the files that I’m using were not the correct ones, but I’m only seeing one .pem file on my process, the test-ca.pem. For the key tlsCertificateKeyFile I’ve tested also mongodb-test-ca.key and mongodb-test-ia.key without success

Tags:

2

Answers


  1. 0

    You must create the .pem like this:

    cat mongodb-test-ia.crt mongodb-test-ia.key > mongodb-test-ia.pem

    and then run mongod with

    --tlsCertificateKeyFile /etc/ssl/mongodb-test-ia.pem --tlsCAFile /etc/ssl/test-ca.crt

    In order to test the certificates you can also use openssl. Try

    openssl verify -CAfile /etc/ssl/mongodb-test-ca.crt /etc/ssl/mongodb-test-ia.pem

    Or if you like to do it a bit more advanced, open a shell and enter

    openssl s_server -cert /etc/ssl/mongodb-test-ia.pem

    Then open another shell and use

    openssl s_client -CAfile /etc/ssl/mongodb-test-ca.crt -quiet -no_ign_eof -status <<< Q

    See also How Security in MongoDB works (using x.509 cert)

    Login or Signup to reply.
  2. 0

    Just had another look at your question. In total you need to create 3 certificates.

    1. The (self singed) CA

      In many cases you create a Root CA and a Intermediate CA. In principle and for testing purpose it is fully sufficient to create only the Root CA, see https://security.stackexchange.com/questions/128779/why-is-it-more-secure-to-use-intermediate-ca-certificates

    2. The Server certificate (singed and verified by above CA)

    3. The Client certificate (singed and verified by above CA)

    My personal advise: First create the CA and the server certificate, use only openssl to make it working. Once you achieved that, try to make it working with MongoDB. Then you can continue with the client certificate.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search