Skip to content

Instantly share code, notes, and snippets.

@achesco

achesco/generate-mongo-ssl.md

Last active March 26, 2025 03:58
Show Gist options
  • Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Download ZIP
Generate self-signed SSL certificates for MongoDb server and client
Raw
generate-mongo-ssl.md

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}
@lukewest
Copy link

lukewest commented Jan 25, 2023
edited
Loading

This was a lifesaver for me. Too many variables meant I couldnt get this to work even in a basic way.

  1. post 4.3 mongod.conf
net:
  port: 27017
  bindIp: 127.0.0.1
  tls:
    #mode: allowTLS
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt
  1. test connection
mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile mongodb-ca.crt

@todbapi
Copy link

todbapi commented Jun 3, 2024
edited
Loading

Setting Up MongoDB 4.4.29 with TLS

1. Create a Public Key Certificate and Private Key

Generate a public key certificate and its associated private key using OpenSSL:

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

2. Create a PEM File

Combine the certificate and key into a single PEM file:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

3. Copy Files to /etc/ssl

Move the generated certificate and PEM files to /etc/ssl:

sudo cp mongodb-cert.crt /etc/ssl
sudo cp mongodb.pem /etc/ssl

4. Edit the MongoDB Configuration

Open the MongoDB configuration file for editing:

sudo vim /etc/mongod.conf

Update the configuration to include the TLS/SSL settings:

net:
  port: 27017
  bindIp: localhost
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Test Connection

Test connection by mongosh

mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/mongodb-cert.crt

@guiyumin
Copy link

guiyumin commented Jul 18, 2024
edited
Loading

I just realized that if you set tlsAllowInvalidCertificates to be true, and you don't need a ssl cert or pem.

@supersophie
Copy link

supersophie commented Jan 23, 2025
edited
Loading

This does NOT work. I have been at this for three weeks.

# openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=EU/ST=Belgium/L=Brussels/O=Cat-dog/OU=Infrastructure/[email protected]/CN=xxxx.xx.xx -out mongodb.crt -keyout mongodb.key
.....+....+..+.+++++++++++++++++++++++++++++++++++++++*......+..........+...+.....+.+..+............+............+++++++++++++++++++++++++++++++++++++++*.........+.....+....+..+.+..+.............+...+......+...+.....+......+.+...+...................................+.......+.........+.....+.+........+.......+.....+......+....++++++
.....+......+...+.+..............+.+......+...+...+..+++++++++++++++++++++++++++++++++++++++*.+......+...+..+...................+...+..................+.....+...+....+++++++++++++++++++++++++++++++++++++++*...++++++

tls:
  mode: allowTLS
  certificateKeyFile: /etc/pki/tls/private/ mongodb.key
  CAFile: /etc/pki/tls/certs/mongodb.crt

# systemctl  restart mongod
{"t":{"$date":"2025-01-23T11:11:57.777+01:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"-","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/pki/tls/private/mongodb.key","error":"error:0480006C:PEM routines::no start line"}}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"-","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment