Here’s the Detailed Procedure I followed for Enabling the TLS/SSL Certificate For MongoDB.
Step 01: Created the MongoDB Server/VM in GCP with specific requirements.
Step 02: Installed the MongoDB Automation Agent on the MongoDB Server.
Step 03: Now Goto Cloud Manager, Enable the MongoDB Deployment with Backup and Monitoring.
Step 04: For Enabling TLS/SSL Certificates
First we need to create our own SSL Certificate Authority(CA) to dump our Self-Signed Certificate.
- Create the CA Private Key:
$ openssl genrsa -out rootCA.key -aes256 8192
Where we need to enter a strong Password
- Self-Sign the CA Public Certificate:
$ openssl req -x509 -new -extensions v3_ca -key rootCA.key -days 365 -out rootCAPub.crt
This will start an interactive script which will ask you for various bits of information.
Here you provide the CN(common name) or FQDN is the hostname of your server.
This will create an SSL certificate called rootCAPub.crt, signed by itself, valid for 365 days, and it will act as our root certificate.
- Generate the CSR(Certificate Signing request) and Private key for MongoDB Server:
$ openssl req -nodes -newkey rsa:4096 -sha256 -keyout mongodb.key -out mongodb.csr
Here also, will start an interactive script which will ask you for various bits of information.At last you will provide the challenge password.So it Generates the Private key and CSR .
- Now need to signing CSR using Root CA Private & Public key:
$ openssl x509 -req -in mongodb.csr -CA rootCAPub.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt
- Now Concatenate the specific Server Private and Public Certificate to create a .pem format file:
$ cat mongodb.key mongodb.crt > mongodb.pem
Step 05: Create a self-signed certificate for mongo client / Driver
First need to create the .conf file with this below configuration
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = example-client.key
prompt = no
[req_distinguished_name]
C = US
ST = California
L = OAK
O = Example
OU = DBENG
CN = FDQN_NAME
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = DNS_NAME
Once example.conf file has been created
- create CSR file and private key to be used with a certificate with the following command:
$ openssl req -new -nodes -out example-client.csr -config example.conf
- Sign the client CSR using CA public and private key:
$ openssl x509 -req -in example-client.csr -CA rootCAPub.crt -CAkey rootCA.key -out example-client.crt
- Finally, concatenate the key and the signed certificate:
$ cat example-client.key example-client.crt > example-client.pem
Step 06: Now we need to configure the TLS Configuration for MongoDB Deployment in Cloud Manager.
Enabling TLS/SSL for MongoDB in Cloud Manager
Here’s the Options & Values are provided to enable the TLS/SSL:
tlsMode - allowTLS
tlsCertificateKeyFile - /etc/ssl/mongodb.pem
tlsCertificateKeyFilePassword - ########
Step 07:Then Enable the TLS at the Project Level. Here I provided the /etc/ssl/rootCAPub.crt
So I successfully enabled the TLS at Project level and applied to the MongoDB Deployment but when i connect to mongo by using below command and it throws an error
mongo --ssl --sslCAFile /etc/ssl/rootCAPub.crt --host mongodb-test-poc.private-qa.tenfold.com:27000 --sslPEMKeyFile /etc/ssl/example-client.pem
Error is
MongoDB shell version v3.6.8
connecting to: mongodb://mongodb-test-poc.private-qa.tenfold.com:27000/
2023-09-01T13:12:04.232+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2023-09-01T13:12:04.271+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed
Can someone please assist or help on this issue and also please provide the inputs on the procedure what i followed.
Regards
Sriram