Add additional CA certificate for mutual tls (teleport auth)

RogerSik · May 27, 2024, 7:26am

Did someone successfully added an additionally ca cert to the mongodb cluster?

I want to add the CA certificate from teleport so that connections can be tunneled over teleport:

Step 2: Configure MongoDB → Set up mutual TLS:

Export the Teleport Database Client CA from Teleport, and then add it as an additional trusted CA by concatenating it with your CA’s certificate:

tctl auth export --type=db-client > db-client-ca.crt
cat /path/to/your/ca.crt db-client-ca.crt > /etc/certs/mongo.cas

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/certs/mongo.crt
    CAFile: /etc/certs/mongo.cas

but not sure how to modify the mongodb perconca cluster to add additional CA certificate?

Sergey_Pronin · May 29, 2024, 7:31am

@RogerSik,
we have not tried it.

But to add additional CA you can modify <cluster_name>-ssl and <cluster_name>-ssl-internal secret resources.

In both secrets there will ba ca.crt file.

Do the same for internal secret.

It explains how the certificates must be structured.

Note: we have not tested two CAs, so not sure how MongoDB would behave.

Topic		Replies	Views
TLS/SSL Enabling for MongoDB in Cloud Manager Percona Server for MongoDB closed-no-reply	0	901	September 1, 2023
MongoDB ReplicaSet Cluster with TLS and Letsencrypt/cert-manager Percona Server for MongoDB percona , mongodb	7	1965	May 16, 2023
Configuring TLS for Percona mongodb sharding setup Percona Operator for MongoDB mongodb	1	961	January 12, 2023
How to enable TLS on MongoDB operator without requiring client certificates Percona Operator for MongoDB	2	1489	November 1, 2022
Mongodb operator x.509 tls vault auth failed for $external Percona Operator for MongoDB	2	1329	January 26, 2022