运行 使用 mongo + ssl 开发环境
Running dev env with mongo + ssl
背景
我正在尝试在本地 运行 mongo 以与生产 运行 相同的方式启用完整的 ssl 验证。 Mongo 抱怨证书是自签名的,但我指定了一个 ca.crt 文件,我认为应该将其视为根证书以进行验证。如果这是合理的,那么我认为我的 mongo 配置或证书生成不正确。
SSL keys/certs/pem
要创建 ssl 东西,我 运行 宁以下
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev@gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev@gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev@gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo 数据库配置
我然后 运行(在 docker 内)的 mongo 配置如下。 (其中/data/mongo是上面生成的位置)。
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
和运行宁通过
mongo --config config/location
正在连接到 mongo
然后我尝试使用 mongo 命令行连接到服务器,如下所示。
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
并得到如下输出
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:229:14
@(connect):1:6
exception: connect failed
知道了!基本上它需要在主题行中提供更多数据,或者 CN 需要成为 CA 的 ROOTCA。任何可以评论原因的人将不胜感激。
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
一些相关资源,如果有人遇到类似的问题
答案是 found/taken 来自
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication
https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
在
也可以找到和我几乎一模一样的堆栈兑换券
背景 我正在尝试在本地 运行 mongo 以与生产 运行 相同的方式启用完整的 ssl 验证。 Mongo 抱怨证书是自签名的,但我指定了一个 ca.crt 文件,我认为应该将其视为根证书以进行验证。如果这是合理的,那么我认为我的 mongo 配置或证书生成不正确。
SSL keys/certs/pem 要创建 ssl 东西,我 运行 宁以下
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev@gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev@gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev@gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo 数据库配置 我然后 运行(在 docker 内)的 mongo 配置如下。 (其中/data/mongo是上面生成的位置)。
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
和运行宁通过
mongo --config config/location
正在连接到 mongo 然后我尝试使用 mongo 命令行连接到服务器,如下所示。
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
并得到如下输出
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:229:14
@(connect):1:6
exception: connect failed
知道了!基本上它需要在主题行中提供更多数据,或者 CN 需要成为 CA 的 ROOTCA。任何可以评论原因的人将不胜感激。
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
一些相关资源,如果有人遇到类似的问题
答案是 found/taken 来自
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
在
也可以找到和我几乎一模一样的堆栈兑换券