achesco/generate-mongo-ssl.md

Last active April 22, 2025 12:17

Star (21) You must be signed in to star a gist
Fork (7) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/achesco/b7cf9c0c93186c4a7362fb4832c866c0.js"></script>
Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.

Download ZIP

Generate self-signed SSL certificates for MongoDb server and client

Raw

generate-mongo-ssl.md

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}

lukewest commented Jan 25, 2023 •

edited

Loading

This was a lifesaver for me. Too many variables meant I couldnt get this to work even in a basic way.

post 4.3 mongod.conf

net:
  port: 27017
  bindIp: 127.0.0.1
  tls:
    #mode: allowTLS
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

test connection

mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile mongodb-ca.crt

todbapi commented Jun 3, 2024 •

edited

Loading

Setting Up MongoDB 4.4.29 with TLS

1. Create a Public Key Certificate and Private Key

Generate a public key certificate and its associated private key using OpenSSL:

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

2. Create a PEM File

Combine the certificate and key into a single PEM file:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

3. Copy Files to /etc/ssl

Move the generated certificate and PEM files to /etc/ssl:

sudo cp mongodb-cert.crt /etc/ssl
sudo cp mongodb.pem /etc/ssl

4. Edit the MongoDB Configuration

Open the MongoDB configuration file for editing:

sudo vim /etc/mongod.conf

Update the configuration to include the TLS/SSL settings:

net:
  port: 27017
  bindIp: localhost
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Test Connection

Test connection by mongosh

mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/mongodb-cert.crt

guiyumin commented Jul 18, 2024 •

edited

Loading

I just realized that if you set tlsAllowInvalidCertificates to be true, and you don't need a ssl cert or pem.

supersophie commented Jan 23, 2025 •

edited

Loading

This does NOT work. I have been at this for three weeks.

# openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=EU/ST=Belgium/L=Brussels/O=Cat-dog/OU=Infrastructure/[email protected]/CN=xxxx.xx.xx -out mongodb.crt -keyout mongodb.key
.....+....+..+.+++++++++++++++++++++++++++++++++++++++*......+..........+...+.....+.+..+............+............+++++++++++++++++++++++++++++++++++++++*.........+.....+....+..+.+..+.............+...+......+...+.....+......+.+...+...................................+.......+.........+.....+.+........+.......+.....+......+....++++++
.....+......+...+.+..............+.+......+...+...+..+++++++++++++++++++++++++++++++++++++++*.+......+...+..+...................+...+..................+.....+...+....+++++++++++++++++++++++++++++++++++++++*...++++++

tls:
  mode: allowTLS
  certificateKeyFile: /etc/pki/tls/private/ mongodb.key
  CAFile: /etc/pki/tls/certs/mongodb.crt

# systemctl  restart mongod
{"t":{"$date":"2025-01-23T11:11:57.777+01:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"-","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/pki/tls/private/mongodb.key","error":"error:0480006C:PEM routines::no start line"}}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"-","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}

codersyacht commented Apr 22, 2025 •

edited

Loading

@todbapi @achesco
While using mongosh, you are passing both pem and crt. Why are we passing the file containing the private key? Should not the client use just the public key?
In my client application I only have provision to provide public key.