Auth-Enabled mongo conf, not starting. Error: invalid char in key file /app/Mongo/mongodb-keyfile SE-Linux Environment

[tilak mishra]

Generated key file using these commands:
#openssl rand -base64 755 > /app/Mongo/mongodb-keyfile
#chmod 400 /app/Mongo/mongodb-keyfile

And then, added below entries to mongod.conf file.
security:
authorization: enabled
keyFile: /app/Mongo/mongodb-keyfile

However not sure what's going wrong , i am getting this error when trying to start mongod using security.. 
invalid char in key file /app/Mongo/mongodb-keyfile

Can you please help and guide? I am really in a very awkward situation, in 3 non environments it worked, dont know why its failing in Prod.

Environment: SE Linux 11

Mongo DB Version: 3.0.3

As our .Net client doesn't support SCRAM-SHA-1 type authentication, downgraded security mechanism to MONGODB-CR.

db.system.version.find()

{ "_id" : "authSchema", "currentVersion" : 3 }

{ "_id" : "admin.admin_mongo", "user" : "admin_mongo", "db" : "admin", "credentials" : { "MONGODB-CR" : "0c23321a8e8ffc2377a61eb54fccf4a5" }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "root", "db" : "admin" } ] }

[Kevin Adistambha]

Hi,

However not sure what’s going wrong , i am getting this error when trying to start mongod using security..
invalid char in key file /app/Mongo/mongodb-keyfile

The “invalid char in key file” error means that the key file contains a character that is not a valid Base64 character. Please take a look at your generated key file (/app/Mongo/mongodb-keyfile) and confirm that it doesn’t contain any non-Base64 character.

Please see Base64 for more information regarding valid Base64 characters.

Best regards,
Kevin

​

[tilak mishra]

Thank you Kevin. Can i just do a #cat <keyfile> /app/Mongo/mongodb-keyfile to see if there are any invalid char?

As per Mongo doc, used following command to generate key file. what might have gone wrong? i will surely try. please advise. Thanks.

#openssl rand -base64 755 > /app/Mongo/mongodb-keyfile

Kind regards,

Tilak

[tilak mishra]

[tilak mishra]

At the end, it's adding = character into the keyfile which is not a supported base64 format.

I am using same #openssl rand -base64 755 > /tmp/mongodb-keyfile to generate this.

How to rectify it to generate without = sign. Also to note, in other Non-prod environments, the same way i created keyfile but it never added any invalid character like =.

what could be the reason? 

Thanks.

FF6PljQaWnlIHLQEWhhE6vMKmS1jrp75Bz4zTHhaFss4gxbssKkbDUeDq28WxTFa

oFdxEgHgNuU+afJb/D4vypMBNGtC9TdjHJYToEWtQF3p2vQw/HflmgGSVikdimA2

eQI0zliZwh6585gLHzJp4neLra1G4o8mvlcDTAPwI5Rqxy1JFbw0JC1yt4GZKD2W

WG95Hg/hBsvYMP7Y1x+Rcigw3/Ij4uIfr4xXmRqhBCXxYVaM2fWOFtWFsNU4Xf91

k+R4BT9UbHZcai9keX2nefIZRmvMYKMlpMDeNn4Rh6i+Egf+T9+GSC59o5dvhLRn

ZJqfMgcSqk7PWq79RIxOczecmwHwEzyr5XcmW0IX9DBZklVYtQZfNiR/vNal2D79

y975974sOX4AuNwHeben1ndFrQcRlitqvTNYCnHWctp6N35ICAKbi4CCWTyFyiTB

/iUWpypjf1lxYtQOZTPlQN6ZiBidjmIdNVUz64CGNVjJnPoXmhuut+qI9M8/vbFM

W6HBZcDuEG5ij2S9dQEav6viSd0tiCE46YsNQLC0ghHxiHi4v2QTZGDhqe7YsMRV

Rv3WrTnoh/12WOfRWtWkWPzJSbjRJCFcnn+0zAVGbWOc6Tn2xzgXGbl42FOUYoGh

C6356BfY5EcT5bKK1uBmAW/A32PJGPofvc40j/wWydnfBZNnB6rrEeOveomJO1DN

xPJDKVHJxx0y6uIJWDZQH9kE2Y4bK6GXNmzbWBJHhuXRtGPUsNyecMC8E7Py34yU

nmFTpuWEt7UI/ywvgglO7GbkJGOyCh/08oLt4EQj4rHrEUtmD66ZF8MnEa3FxHFG

4yv8CfUOQ7U8iug87sKLh4RwIOgA+Jy+lliZaBCX4dLC75V6XDvQBFlsh2H5ssqJ

IzQWqqiR+1HsPNAKDZThZ955aJDc53SlYnFtf7rpgJtc+pgdn+ak86tYHnQ9lL8p

a9OyCAwdJMRtLMqiLQgOdhvwSyVxzvYOAUnUCwELkgfTmB0=

On Wednesday, June 15, 2016 at 9:01:56 AM UTC-4, tilak mishra wrote:

[Kevin Adistambha]

Hi Tilak,

As per Mongo doc, used following command to generate key file. what might have gone wrong? i will surely try. please advise. Thanks.

openssl rand -base64 755 > /app/Mongo/mongodb-keyfile

I believe you are looking at the 3.2 version of the documentation to create the keyfile (where it specified 755 bytes) and used the generated keyfile on MongoDB 3.0.

For MongoDB 3.0, the keyfile needs to be 741 bytes long, so in your case the command should be:

openssl rand -base64 741 > /app/Mongo/mongodb-keyfile

However, please note that keyfiles are bare-minimum forms of security and are best suited for testing or development environments. For production environments we recommend using x.509 certificates. For more information, please see:

• Use x.509 Certificate for Membership Authentication
• Upgrade from Keyfile Authentication to x.509 Authentication

Best regards,
Kevin

​

[tilak mishra]

Thank you Kevin.

Now, i generated keyfile using 3.0 command and now it doesn't have "=" equal sign anymore.

However, it makes me think, how in other non-prod environment the 755 byte command worked without adding invalid char like "=" sign.

openssl rand -base64 741 > /app/Mongo/mongodb-keyfile

We will do a rolling upgrade to x509 certificate from keyfile using the steps mentioned in below link. But, where can i find necessary steps to generate --sslClutsterFile? If you have any link, could you please forward. Thank you.

https://docs.mongodb.com/v3.0/tutorial/upgrade-keyfile-to-x509/

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to a topic in the Google Groups "mongodb-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mongodb-user/21Q-XIsdJkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/2b13b4ab-0528-4d52-9492-761481408f07%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Sincerely,

Tilak Ranjan Mishra

E: tilak....@gmail.com

C:+1 513 394 1287

[Kevin Adistambha]

Hi Tilak,

Now, i generated keyfile using 3.0 command and now it doesn’t have “=” equal sign anymore.
However, it makes me think, how in other non-prod environment the 755 byte command worked without adding invalid char like “=” sign.

Are you certain you are running MongoDB 3.0 in your non-prod environment? 755 bytes would work with MongoDB 3.2, but should not work with older versions of MongoDB.

We will do a rolling upgrade to x509 certificate from keyfile using the steps mentioned in below link. But, where can i find necessary steps to generate —sslClutsterFile? If you have any link, could you please forward. Thank you.

The sslClusterFile parameter requires a .pem file that contains the x509 certificate and its associated private key. For creating a .pem file using a self-signed certificate, please see https://docs.mongodb.com/v3.0/tutorial/configure-ssl/#pem-file. However, please note that self-signed certificate is for testing purposes only. If you intend to use x509 in production, you should use a valid SSL certificate issued by a certificate authority.

Best regards,
Kevin

​

[tilak mishra]

Hi Kevin - 

Yes it's surprising all our 3 non-production environments didn't have this = sign when the key file was created with 755 byte long command:

what could be the reason? 

How in production it added = sign.

#openssl rand -base64 755 > /app/Mongo/mongodb-keyfile

Here is the output of # ./mongo

MongoDB shell version: 3.0.3

connecting to: test

--

You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to a topic in the Google Groups "mongodb-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mongodb-user/21Q-XIsdJkk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/63ec1b1e-69c0-4b2d-9ce3-d194587ffddb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Kevin Adistambha]

Hi Tilak

Yes it’s surprising all our 3 non-production environments didn’t have this = sign when the key file was created with 755 byte long command:
what could be the reason?
How in production it added = sign.

The = sign is actually part of the Base64 encoding, where it acts as a padding character. Base64 encoding allows you to represent binary in text by encoding 8-bit into 6-bit, where the 6-bit representation consist of printable characters (e.g. A to Z, 1 to 9, and symbols such as =).

For example, a 24-bit binary sequence (3 bytes) can be represented with exactly 4 Base64 characters (3 bytes * 4/3 = 4 Base64 characters). However, a 16-bit (2 bytes) binary sequence must also be represented by 4 Base64 characters (since 2 bytes * 4/3 = 2.667 Base64 characters is not a round number, it must be rounded up to the nearest multiple of 4). There are examples in Base64 padding in the Base64 page.

Regarding MongoDB keyfile creation using OpenSSL, the parameter to OpenSSL is the number of random bytes you want to create:

• For 741 bytes: 741 bytes * 4/3 = 988 Base64 characters (round number, no padding required)
• For 755 bytes: 755 bytes * 4/3 = 1006.667 Base64 characters (not a round number, so padding is required)

Note that for 755 bytes, you must round up the result to the nearest multiple of 4 (which is 1008). You can quickly check this with:

> openssl rand -base64 741 | tr -d '\n' | wc -c
     988

and

> openssl rand -base64 755 | tr -d '\n' | wc -c
    1008

This rounding up from 1006.667 to 1008 is represented by the = sign in Base64. Therefore, a keyfile 755 bytes in length will always have the = sign at the end. I hope this clears up some of the confusion regarding the keyfiles.

Best regards,
Kevin

​