mongodump error: x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs
mongodump error: x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs
我正在尝试设置 mongo转储以及 TLS/SSL 加密。为此,我一直在关注各种文章:, https://mydbops.wordpress.com/2020/05/02/securing-mongodb-cluster-with-tls-ssl/ 等等。
所以,我已经生成了 CA 证书。
#Create CA Private Certificate
openssl genrsa -passout pass:<password> -out ca.key -aes256 8192
#Sign CA Public Certificate
openssl req -x509 -new -extensions v3_ca -passin pass:<password> -key ca.key -days 365 -out ca-pub.crt -subj "/C=XX/L=Default City/O=Default Company Ltd"
然后,为 MongoDB 服务器创建一个密钥并使用 CA 自签名。
openssl req -nodes -newkey rsa:4096 -sha256 -keyout mongod.key -out mongod.csr -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=<host-name-IP>";
openssl x509 -req -in mongod.csr -CA ca-pub.crt -passin pass:<password> -CAkey ca.key -CAcreateserial -out mongod.crt;
cat mongod.key mongod.crt > mongod.pem;
接下来,我为客户端创建了一个conf文件,内容如下:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = mongo-client.key
prompt = no
[req_distinguished_name]
C = filled-appropriately
ST = filled-appropriately
L = filled-appropriately
O = client
OU = client-team
CN = .
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:<mongodb-server-ip>
接下来,使用这个 .conf 文件,生成一个 mongo 客户端 csr 文件
openssl req -new -nodes -out mongo-client.csr -config mongo-client.conf
然后,使用 CA 证书对这些进行自我签名。
openssl x509 -req -in mongo-client.csr -CA ca-pub.crt -CAkey ca.key -out mongo-client.crt
cat mongo-client.key mongo-client.crt > mongo-client.pem
我已将 CA 和 MongoDB 服务器特定文件放置在适当的位置(在 /etc/ssl 中)并更新了 mongod.conf 文件中的路径
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca-pub.crt
更新后,执行守护程序重新加载并重新启动 mongod.service,并将 ca-pub.crt 和 mongo-client.pem 移动到适当的客户端服务器。
现在,当我尝试使用 mongo 命令连接到服务器时,它已成功连接。
mongo --tls --tlsCAFile ca-pub.crt --tlsCertificateKeyFile mongo-client.pem --host=<server-IP> -u <username> -p <password>
但是,当我尝试 运行 mongo 转储命令时:
mongodump --host=<server-IP> -u <username> -p <password> --ssl --sslCAFile=ca-pub.crt --sslPEMKeyFile=mongo-client.pem
它给出了这个错误:
Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: <server-IP>, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs }, ] }
注意:以上所有代码中,都适当添加了server-IP的值
任何人都可以为此提供解决方案或任何有用的资源。任何帮助,将不胜感激。谢谢。
SubjectAltName 与我过去使用的不同。
创建一个共同的签名请求
echo '[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]' | sudo tee common.csr.conf
openssl req -nodes -sha256 -newkey rsa:4096 -keyout node1.key.pem -out node1.csr -subj "/C=US/ST=Oregon/L=Springfield/O=Some Organization/OU=Replicaset/CN=node1" -config common.csr.conf
创建扩展文件
echo '
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, emailProtection
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = node1.barry.test
IP.1 = 127.0.0.1' | sudo tee node1.ext
签署证书
openssl x509 -req -sha256 -in node1.csr -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -days 365 -out node1.crt.pem -extfile node1.ext
将证书和密钥合并到 PEM 文件中
cat node1.key.pem node1.crt.pem > node1.pem
我参考这个 link 来解决这个问题:https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line/183973?newreg=1aa964f1090e49029f2ee664382e75e4
openssl req -newkey rsa:4096 -nodes -out server.csr -keyout server.key -subj "/C=XX/ST=XX/L=XX/O=company/OU=company-unit/CN=<server-IP>";
openssl x509 -sha256 -req -extfile <(printf "subjectAltName=IP:<server-IP>") -days 365 -in server.csr -CA ca.pem -passin pass:password -CAkey ca_private.pem -CAcreateserial -out server-signed.crt;
cat server-signed.crt server.key > server.pem;
与创建 CA 证书和客户端密钥相关的其余步骤相同。
@barrypicker 的回答解决了 mongo 转储和 mongo 恢复问题,但是与 mongo shell 的连接失败了。
我正在尝试设置 mongo转储以及 TLS/SSL 加密。为此,我一直在关注各种文章:
所以,我已经生成了 CA 证书。
#Create CA Private Certificate
openssl genrsa -passout pass:<password> -out ca.key -aes256 8192
#Sign CA Public Certificate
openssl req -x509 -new -extensions v3_ca -passin pass:<password> -key ca.key -days 365 -out ca-pub.crt -subj "/C=XX/L=Default City/O=Default Company Ltd"
然后,为 MongoDB 服务器创建一个密钥并使用 CA 自签名。
openssl req -nodes -newkey rsa:4096 -sha256 -keyout mongod.key -out mongod.csr -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=<host-name-IP>";
openssl x509 -req -in mongod.csr -CA ca-pub.crt -passin pass:<password> -CAkey ca.key -CAcreateserial -out mongod.crt;
cat mongod.key mongod.crt > mongod.pem;
接下来,我为客户端创建了一个conf文件,内容如下:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = mongo-client.key
prompt = no
[req_distinguished_name]
C = filled-appropriately
ST = filled-appropriately
L = filled-appropriately
O = client
OU = client-team
CN = .
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:<mongodb-server-ip>
接下来,使用这个 .conf 文件,生成一个 mongo 客户端 csr 文件
openssl req -new -nodes -out mongo-client.csr -config mongo-client.conf
然后,使用 CA 证书对这些进行自我签名。
openssl x509 -req -in mongo-client.csr -CA ca-pub.crt -CAkey ca.key -out mongo-client.crt
cat mongo-client.key mongo-client.crt > mongo-client.pem
我已将 CA 和 MongoDB 服务器特定文件放置在适当的位置(在 /etc/ssl 中)并更新了 mongod.conf 文件中的路径
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca-pub.crt
更新后,执行守护程序重新加载并重新启动 mongod.service,并将 ca-pub.crt 和 mongo-client.pem 移动到适当的客户端服务器。
现在,当我尝试使用 mongo 命令连接到服务器时,它已成功连接。
mongo --tls --tlsCAFile ca-pub.crt --tlsCertificateKeyFile mongo-client.pem --host=<server-IP> -u <username> -p <password>
但是,当我尝试 运行 mongo 转储命令时:
mongodump --host=<server-IP> -u <username> -p <password> --ssl --sslCAFile=ca-pub.crt --sslPEMKeyFile=mongo-client.pem
它给出了这个错误:
Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: <server-IP>, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs }, ] }
注意:以上所有代码中,都适当添加了server-IP的值
任何人都可以为此提供解决方案或任何有用的资源。任何帮助,将不胜感激。谢谢。
SubjectAltName 与我过去使用的不同。
创建一个共同的签名请求
echo '[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]' | sudo tee common.csr.conf
openssl req -nodes -sha256 -newkey rsa:4096 -keyout node1.key.pem -out node1.csr -subj "/C=US/ST=Oregon/L=Springfield/O=Some Organization/OU=Replicaset/CN=node1" -config common.csr.conf
创建扩展文件
echo '
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, emailProtection
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = node1.barry.test
IP.1 = 127.0.0.1' | sudo tee node1.ext
签署证书
openssl x509 -req -sha256 -in node1.csr -CA ca.crt.pem -CAkey ca.key.pem -CAcreateserial -days 365 -out node1.crt.pem -extfile node1.ext
将证书和密钥合并到 PEM 文件中
cat node1.key.pem node1.crt.pem > node1.pem
我参考这个 link 来解决这个问题:https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line/183973?newreg=1aa964f1090e49029f2ee664382e75e4
openssl req -newkey rsa:4096 -nodes -out server.csr -keyout server.key -subj "/C=XX/ST=XX/L=XX/O=company/OU=company-unit/CN=<server-IP>";
openssl x509 -sha256 -req -extfile <(printf "subjectAltName=IP:<server-IP>") -days 365 -in server.csr -CA ca.pem -passin pass:password -CAkey ca_private.pem -CAcreateserial -out server-signed.crt;
cat server-signed.crt server.key > server.pem;
与创建 CA 证书和客户端密钥相关的其余步骤相同。
@barrypicker 的回答解决了 mongo 转储和 mongo 恢复问题,但是与 mongo shell 的连接失败了。