检查服务器身份 Mongodb
checkServerIdentity Mongodb
小问题:
checkServerIdentity 出了什么问题?
如果我关闭该选项,那么我可以连接!但是我想使用这个选项!
长问题
运行宁mongodb3.2.6
我创建了一个数据库用户
use db
db.createUser(
{
user: "user",
pwd: "pass",
roles: [
{ role: "readWrite", db: "db" }
]
}
)
我的mongod.conf看起来像这样
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
net:
port: 27017
ssl:
mode: requireSSL
PEMKeyFile: /etc/letsencrypt/live/example.com/mongod-PEMKeyFile.pem
CAFile: /etc/letsencrypt/mongod-CAFile.pem
我开始mongod --auth --config /etc/mongod.conf
然后我运行我的node.js脚本
require(__dirname+'/../node_modules/mongodb').MongoClient.connect(
'mongodb://user:pass@127.0.0.1:27017/db?ssl=true&authMechanism=SCRAM-SHA-1&authSource=db'
, {server:{
sslValidate:true
, checkServerIdentity:true
, sslCA:[require('fs').readFileSync('/etc/letsencrypt/identrust-root-download-x3.pem')]
, sslKey:require('fs').readFileSync('/etc/letsencrypt/live/example.com/privkey.pem')
, sslCert:require('fs').readFileSync('/etc/letsencrypt/live/example.com/mongod-sslCert.pem')
}}
, function(e,db){
console.log(e,db);
});
只是显示错误
{ [MongoError: failed to connect to server [127.0.0.1:27017] on first connect]
name: 'MongoError',
message: 'failed to connect to server [127.0.0.1:27017] on first connect' }
Note: It connects fine if I turn off ssl in the mongod.conf and the node.js script!
mongod.log
中没有信息
2016-08-03T19:23:26.995+0200 I CONTROL [main] ***** SERVER RESTARTED *****
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] MongoDB starting : pid=25307 port=27017 dbpath=/var/lib/mongo 64-bit host=xxxx
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] db version v3.2.6
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] git version: 05552b562c7a0b3143a729aaa0838e558dc49b25
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] allocator: tcmalloc
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] modules: none
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] build environment:
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] distmod: rhel70
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] distarch: x86_64
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] target_arch: x86_64
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { port: 27017, ssl: { CAFile: "/etc/letsencrypt/mongod-CAFile.pem", PEMKeyFile: "/etc/letsencrypt/live/example.com/mongod-PEMKeyFile.pem", mode: "requireSSL" } }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, security: { authorization: "enabled" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2016-08-03T19:23:27.047+0200 I - [initandlisten] Detected data files in /var/lib/mongo created by the 'mmapv1' storage engine, so setting the active storage engine to 'mmapv1'.
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten]
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** WARNING: Readahead for /var/lib/mongo is set to 4096KB
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** We suggest setting it to 256KB (512 sectors) or less
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** http://dochub.mongodb.org/core/readahead
2016-08-03T19:23:27.059+0200 I JOURNAL [initandlisten] journal dir=/var/lib/mongo/journal
2016-08-03T19:23:27.060+0200 I JOURNAL [initandlisten] recover : no journal files present, no recovery needed
2016-08-03T19:23:27.364+0200 I JOURNAL [durability] Durability thread started
2016-08-03T19:23:27.365+0200 I JOURNAL [journal writer] Journal writer thread started
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.389+0200 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongo/diagnostic.data'
2016-08-03T19:23:27.389+0200 I NETWORK [initandlisten] waiting for connections on port 27017 ssl
2016-08-03T19:23:27.390+0200 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
我该如何调试它?这个错误告诉我什么都没有!
来自:https://jira.mongodb.org/browse/NODE-788
Lucas Hrabovsky 添加了评论 - 2016 年 8 月 4 日05:38:18 PM GMT+0000
Looking at the implementation for checkServerIdentity, this is the callback passed to tls.connect().
Passing checkServerIdentity: true per your example is not required as this is the default value for this option and should only be specified as checkServerIdentity: false or a custom callback.
benzmuircroft@gmail.com Benz Muircroft 添加了评论 - 2016 年 8 月 4 日 06:55:04 下午 GMT+0000
Feedback:
That seems really odd that setting it to true would prevent it from connecting! shouldn't checkServerIdentity:true just be ignored or at lease have a relevant warning/error
the current output error offers no hint:
{ [MongoError: failed to connect to server [127.0.0.1:27017] on first connect] name: 'MongoError', message: 'failed to connect to server [127.0.0.1:27017] on first connect' }
Ps: this is using MongoDB shell version: 3.2.6 I have another sever with MongoDB shell version: 3.2.8 and setting checkServerIdentity:true on 3.2.8 does not affect connecting in any way! (both servers are using node.js mongodb 2.2.4) its very weird that only one server is affected.
Thanks!
小问题:
checkServerIdentity 出了什么问题?
如果我关闭该选项,那么我可以连接!但是我想使用这个选项!
长问题
运行宁mongodb3.2.6
我创建了一个数据库用户
use db
db.createUser(
{
user: "user",
pwd: "pass",
roles: [
{ role: "readWrite", db: "db" }
]
}
)
我的mongod.conf看起来像这样
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
processManagement:
fork: true
pidFilePath: /var/run/mongodb/mongod.pid
net:
port: 27017
ssl:
mode: requireSSL
PEMKeyFile: /etc/letsencrypt/live/example.com/mongod-PEMKeyFile.pem
CAFile: /etc/letsencrypt/mongod-CAFile.pem
我开始mongod --auth --config /etc/mongod.conf
然后我运行我的node.js脚本
require(__dirname+'/../node_modules/mongodb').MongoClient.connect(
'mongodb://user:pass@127.0.0.1:27017/db?ssl=true&authMechanism=SCRAM-SHA-1&authSource=db'
, {server:{
sslValidate:true
, checkServerIdentity:true
, sslCA:[require('fs').readFileSync('/etc/letsencrypt/identrust-root-download-x3.pem')]
, sslKey:require('fs').readFileSync('/etc/letsencrypt/live/example.com/privkey.pem')
, sslCert:require('fs').readFileSync('/etc/letsencrypt/live/example.com/mongod-sslCert.pem')
}}
, function(e,db){
console.log(e,db);
});
只是显示错误
{ [MongoError: failed to connect to server [127.0.0.1:27017] on first connect]
name: 'MongoError',
message: 'failed to connect to server [127.0.0.1:27017] on first connect' }
Note: It connects fine if I turn off ssl in the mongod.conf and the node.js script!
mongod.log
中没有信息2016-08-03T19:23:26.995+0200 I CONTROL [main] ***** SERVER RESTARTED *****
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] MongoDB starting : pid=25307 port=27017 dbpath=/var/lib/mongo 64-bit host=xxxx
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] db version v3.2.6
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] git version: 05552b562c7a0b3143a729aaa0838e558dc49b25
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] allocator: tcmalloc
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] modules: none
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] build environment:
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] distmod: rhel70
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] distarch: x86_64
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] target_arch: x86_64
2016-08-03T19:23:27.012+0200 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { port: 27017, ssl: { CAFile: "/etc/letsencrypt/mongod-CAFile.pem", PEMKeyFile: "/etc/letsencrypt/live/example.com/mongod-PEMKeyFile.pem", mode: "requireSSL" } }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, security: { authorization: "enabled" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2016-08-03T19:23:27.047+0200 I - [initandlisten] Detected data files in /var/lib/mongo created by the 'mmapv1' storage engine, so setting the active storage engine to 'mmapv1'.
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten]
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** WARNING: Readahead for /var/lib/mongo is set to 4096KB
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** We suggest setting it to 256KB (512 sectors) or less
2016-08-03T19:23:27.059+0200 I STORAGE [initandlisten] ** http://dochub.mongodb.org/core/readahead
2016-08-03T19:23:27.059+0200 I JOURNAL [initandlisten] journal dir=/var/lib/mongo/journal
2016-08-03T19:23:27.060+0200 I JOURNAL [initandlisten] recover : no journal files present, no recovery needed
2016-08-03T19:23:27.364+0200 I JOURNAL [durability] Durability thread started
2016-08-03T19:23:27.365+0200 I JOURNAL [journal writer] Journal writer thread started
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-08-03T19:23:27.366+0200 I CONTROL [initandlisten]
2016-08-03T19:23:27.389+0200 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongo/diagnostic.data'
2016-08-03T19:23:27.389+0200 I NETWORK [initandlisten] waiting for connections on port 27017 ssl
2016-08-03T19:23:27.390+0200 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
我该如何调试它?这个错误告诉我什么都没有!
来自:https://jira.mongodb.org/browse/NODE-788
Lucas Hrabovsky 添加了评论 - 2016 年 8 月 4 日05:38:18 PM GMT+0000
Looking at the implementation for checkServerIdentity, this is the callback passed to
tls.connect(). PassingcheckServerIdentity: trueper your example is not required as this is the default value for this option and should only be specified ascheckServerIdentity: falseor a custom callback.
benzmuircroft@gmail.com Benz Muircroft 添加了评论 - 2016 年 8 月 4 日 06:55:04 下午 GMT+0000
Feedback: That seems really odd that setting it to true would prevent it from connecting! shouldn't
checkServerIdentity:truejust be ignored or at lease have a relevant warning/errorthe current output error offers no hint:
{ [MongoError: failed to connect to server [127.0.0.1:27017] on first connect] name: 'MongoError', message: 'failed to connect to server [127.0.0.1:27017] on first connect' }Ps: this is using MongoDB shell version: 3.2.6 I have another sever with MongoDB shell version: 3.2.8 and setting
checkServerIdentity:trueon 3.2.8 does not affect connecting in any way! (both servers are using node.js mongodb 2.2.4) its very weird that only one server is affected.Thanks!