TLS implementation for mongo deployment with load balancer enabled

Hi Team,

As per the Transport Layer Security (TLS) we are trying to enable TLS for mongo deployment in EKS. Have below queries :

  1. If we enable exposeType as loadbalencer do we have to create TLS certificates along with LB dns names ?
    "hosts": [
      "${CLUSTER_NAME}-rs0",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.${CLUSTER_NAME}-rs0",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local"
<LB1 >
<LB2>
<LB3> 
etc
  1. Can we use same certificates for both internal communication and client communications as i see only localhost is added while generating certitcates.

  2. Will the TLS setup works if the certificates are signed by external CA ? if we try creating certs using cfssl certs says “{“error”:“SSL peer certificate validation failed: self signed certificate in certificate
    chain”}}”

mongo "mongodb://aa709a02cc8e2400db71b89cfc0dea5c-1418412487.us-east-2.elb.amazonaws.com:27017/admin?replicaSet=rs0&ssl=true"

connecting to: mongodb://aa709a02cc8e2400db71b89cfc0dea5c-1418412487.us-east-2.elb.amazonaws.com:27017/admin?compressors=disabled&gssapiServiceName=mongodb&replicaSet=rs0&ssl=true
{"t":{"$date":"2021-09-08T05:08:33.042Z"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate in certificate chain"}}

Please suggest.

Regards,
Adithya

1 Like

Hello @Adithya ,

in short - yes, you need to create the certificate with LBs.
As you might have seen we have the doc here about it: Transport Layer Security (TLS)

The easiest way would be to have some wildcard domain for Mongo that would be CNAMEd to Load Balancer IP-address or domain.

For example:

  1. You have three nodes in a replica set, they are all exposed through LBs and have some random IPs
  2. You create the domain *.mongo-rs0.mydomain.com
  3. You point this domain to your nodes like node1.mongo-rs0.mydomain.com → aws-lb for node-1 and so on
  4. You add the wildcard domain into Alternative Names section in the certificate:
"hosts": [
      "${CLUSTER_NAME}-rs0",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.${CLUSTER_NAME}-rs0",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.mongo-rs0.mydomain.com"
]

We will improve our docs to cover this case.

1 Like