ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongo-prod1.pem
CAFile: /etc/ssl/ca-chain.cert.pem
PEMKeyPassword: xxxxxxxxxxxxxxxx
allowConnectionsWithoutCertificates: true
Tue Jan 26 16:13:52.588 E NETWORK [conn8070] SSL peer certificate validation failed:unsupported certificate purposeTue Jan 26 16:13:52.588 W - [conn8070] DBException thrown :: caused by :: 9001 socket exception [CONNECT_ERROR] forTue Jan 26 16:13:52.593 I - [conn8070] 0xf82712 0xf03fbd 0x857bce 0xf42da1 0xf3b302 0xf31181 0xf33c40 0x7f5875e66182 0x7f587492d47d
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
F1:85:92:F6:9E:6F:DD:F8:11:52:CA:FA:45:34:A3:A1:E6:EF:BC:E7
X509v3 Authority Key Identifier:
keyid:A1:F5:E5:61:EE:CF:46:93:5A:2B:76:DA:E6:9E:DE:40:18:41:9F:25
DirName:/C=US/ST=California/O=PathwayGenomics
serial:10:01
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
ULPROD:SECONDARY> rs.status()
{
"set" : "ULPROD",
"date" : ISODate("2016-01-27T00:08:21.917Z"),
"myState" : 2,
"members" : [
{
"_id" : 0,
"name" : "mongo-prod1:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 2400,
"optime" : Timestamp(1453333325, 28),
"optimeDate" : ISODate("2016-01-20T23:42:05Z"),
"configVersion" : 3,
"self" : true
},
{
"_id" : 1,
"name" : "mongo-prod2:27017",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : Timestamp(0, 0),
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2016-01-27T00:08:19.749Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"configVersion" : -1
},
{
"_id" : 2,
"name" : "mongo-prod3:27017",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : Timestamp(0, 0),
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2016-01-27T00:08:19.923Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"configVersion" : -1
}
],
"ok" : 1
}
alias mongo='mongo --ssl --sslAllowInvalidHostnames --sslCAFile /etc/ssl/ca-chain.cert.pem --host mongo-prod1'
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
openssl ca -config intermediate/openssl.cnf \
-days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
ssl:
CAFile: /opt/ca-bundle.crt
PEMKeyFile: /opt/server.pem
PEMKeyPassword: password
clusterFile: /opt/client.pem
clusterPassword: password
mode: requireSSL