how to connect to mongo-chart with self-signed cert?

[Jeff Chua]

I followed the instructions to setup my local mongo chart but don’t how to pass the SSL CA and client pem files ...

docker run --rm quay.io/mongodb/charts:v0.12.0 charts-cli test-connection mongodb://<username>:<password>@myhost.com/

The docker install is ok, and the HelloWorld works. The self-signed works and Mongo Compass works as well with my ca.pem and client.pem.

How to configure the docker chart to secure via SSL?

Thanks,
Jeff

[Tom Hollander]

Hi Jeff -

We have docs on this at https://docs.mongodb.com/charts/v0.12/administration/configure-ssl-data-sources/. Basically you need to copy the PEM files into the mongodb-charts_db-certs Docker volume.

Let me know how you go.

Tom 

[Jeff Chua]

On Tuesday, April 16, 2019 at 6:33:18 AM UTC+8, Tom Hollander wrote:

Hi Jeff -

We have docs on this at https://docs.mongodb.com/charts/v0.12/administration/configure-ssl-data-sources/. Basically you need to copy the PEM files into the mongodb-charts_db-certs Docker volume.

Let me know how you go.

Tom 

Hi Tom,

Making progress, but may be still got the following errors ...

# docker run -it -v mongodb-charts_db-certs:/volume -v /db/mongo/ssl:/localcerts alpine sh -c 'cp /localcerts/*.pem /volume'

# ls -l /v6/docker/volumes/mongodb-charts_db-certs/_data/*.pem

-rwx------ 1 root root 1314 Apr 17 16:45 ca.pem
-rwx------ 1 root root 2859 Apr 17 16:45 client.pem
-rwx------ 1 root root 1854 Apr 17 16:45 privkey.pem
-rwx------ 1 root root 2879 Apr 17 16:45 server.pem

# docker stack rm mongodb-charts
# docker stack deploy -c charts-docker-compose-v0.12.0.yml mongodb-charts

# docker run --add-host boston:172.20.10.2 --rm quay.io/mongodb/charts:v0.12.0 charts-cli test-connection 'mongodb://user1:pass1@boston/test?ssl=true'

2019-04-17T16:48:02.851+0800 I NETWORK  [listener] connection accepted from 172.17.0.2:40598 #8 (1 connection now open)
2019-04-17T16:48:02.851+0800 I NETWORK  [listener] connection accepted from 172.17.0.2:40598 #8 (1 connection now open)
2019-04-17T16:48:02.853+0800 E NETWORK  [conn8] no SSL certificate provided by peer; connection rejected
2019-04-17T16:48:02.853+0800 I NETWORK  [conn8] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 172.17.0.2:40598 (connection id: 8)
2019-04-17T16:48:02.853+0800 I NETWORK  [conn8] end connection 172.17.0.2:40598 (0 connections now open)

Name of the files matters?

My best,

Jeff

[Tom Hollander]

Hi Jeff -

Try specifying the SSL cert file as a part of the URI... like this:

mongodb://myhost:27000/?ssl=true&sslclientcertificatekeyfile=/mongodb-charts/volumes/db-certs/client.pem

I'm not sure exactly how your certs are organised but you'll need to specify a file that includes the private key for the client certificate.

Let me know how you go.
Tom

[Jeff Chua]

Hi Tom,

Is there a doc that list the SSL parameters that I need to pass? I need to pass the private key and the CA filename as well ...

Thanks,
Jeff

[Tom Hollander]

Hi Jeff -

This code uses the Go driver. I couldn't find anything in the docs explaining this but you can probably figure out what's supported by looking at the code: https://github.com/mongodb/mongo-go-driver/blob/b07d0220ac446e807f73bccce17d32db10efb8a1/x/network/connstring/connstring.go

For your specific questions though, I believe the private key and cert both need to be in the same file that you pass in the URI. You could also put the whole trust chain in, but as long as the CA pem file is on the server I think that will also work.

Random link I found showing how to combine various things into PEM files: https://www.digicert.com/ssl-support/pem-ssl-creation.htm

HTH

Tom

[Jeff Chua]

On Wednesday, April 17, 2019 at 7:20:47 PM UTC+8, Tom Hollander wrote:

Hi Tom,

I just tried this ... still the same error ...

# docker run --add-host boston:`gethostbyname boston` --rm quay.io/mongodb/charts:v0.12.0 charts-cli test-connection 'mongodb://jeff:mOngo3168@boston/test?ssl=true&sslclientcertificatekeyfile=/mongodb-charts/volumes/db-certs/client.pem&sslclientcertificatekeypassword==xxxx&sslcertificateauthorityfile=/mongodb-charts/volumes/db-certs/ca.pem'

2019-04-17T19:49:30.129+0800 I NETWORK  [listener] connection accepted from 172.17.0.2:43152 #3 (1 connection now open)
2019-04-17T19:49:30.132+0800 E NETWORK  [conn3] no SSL certificate provided by peer; connection rejected
2019-04-17T19:49:30.132+0800 I NETWORK  [conn3] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 172.17.0.2:43152 (connection id: 3)
2019-04-17T19:49:30.132+0800 I NETWORK  [conn3] end connection 172.17.0.2:43152 (0 connections now open)

Is there anyway to login to the docker container to verify that the certs are in the correct path (sslclientcertificatekeyfile=/mongodb-charts/volumes/db-certs/client.pem) ?

Thanks,

Jeff

[Tom Hollander]

Ah, in this particular case, the test-connection script is likely to be misleading. This is because the volume with the certs isn't mounted. Also the test-connection script uses the Node driver, not the Go driver, and I'm not positive it handles the SSL parameters in the same way.

I'd suggest skipping this step and moving on with the installation - store the URI in the Docker secret and then start the stack. Once the stack is running you can use docker ps to get the ID of the container, and then docker exec -it <containerId> bash to launch a shell in the container. From there you can check the certs and also look at the log files in /mongodb-charts/logs.

Tom

[Jeff Chua]

On Wednesday, April 17, 2019 at 8:09:19 PM UTC+8, Tom Hollander wrote:

Ah, in this particular case, the test-connection script is likely to be misleading. This is because the volume with the certs isn't mounted. Also the test-connection script uses the Node driver, not the Go driver, and I'm not positive it handles the SSL parameters in the same way.

I'd suggest skipping this step and moving on with the installation - store the URI in the Docker secret and then start the stack. Once the stack is running you can use docker ps to get the ID of the container, and then docker exec -it <containerId> bash to launch a shell in the container. From there you can check the certs and also look at the log files in /mongodb-charts/logs.

Tom

Hi Tom,

Thanks for the pointer ... I could login to the docker container and obtained the following ...

# tailf /mongodb-charts/logs/charts-cli.log
2019-04-18T12:48:37.244+00:00 WARN  waiting for MongoDB, attempt #1 failed: failed to connect to server [boston:27017] on first connect [MongoNetworkError: connection 0 to boston:27017 timed out]
2019-04-18T12:48:37.344+00:00 INFO  waiting for MongoDB, attempt #2 to connect to MongoDB at mongodb://jeff:*******@boston/test?ssl=true&sslclientcertificatekeyfile=/mongodb-charts/volumes/db-certs/client.pem&sslclientcertificatekeypassword=xxxx&sslcertificateauthorityfile=/mongodb-charts/volumes/db-certs/ca.pem

# ls -l /mongodb-charts/volumes/db-certs/
-rwx------ 1 root root 1314 Apr 17 11:48 ca.pem
-rwx------ 1 root root 2859 Apr 17 11:48 client.pem
-rwx------ 1 root root 1854 Apr 17 11:48 privkey.pem
-rwx------ 1 root root 2879 Apr 17 11:48 server.pem

It looks like the volume is mounted and the SSL certs are correct. I verified the checksum.

What else can I try?

Again, mongo-compass works with the same SSL certs.

Thanks,

Jeff

[Jeff Chua]

Anything else I can try?

[Tom Hollander]

Hi Jeff -

Apologies for the inconvenience. We have tested the scenario before but I'm going to try it with the current version to check the procedure is still the same. I'll get back to you soon.

Tom

On Tuesday, April 23, 2019 at 7:05:12 AM UTC+10, Jeff Chua wrote:

Anything else I can try?

[Tom Hollander]

Just to make sure I'm testing the right scenario, can you share your mongod command line / config and the Compass connection options that are working?

[Jeff Chua]

 

> Just to make sure I'm testing the right scenario, can you share your mongod command line / config and the Compass connection options that are working?

Tom,

Here's my mongod.conf

systemLog:
  destination: file
  path: "/db/mongo/log/log1"
  logAppend: true

storage:
  dbPath: "/db/mongo/data"
  journal:
    enabled: true

processManagement:
  fork: true

net:
  port: 27017
  bindIp: boston
  ssl:
    mode: requireSSL
    CAFile: /db/mongo/ssl/ca.pem
    PEMKeyFile: /db/mongo/ssl/server.pem
    PEMKeyPassword: porsche1968

setParameter:
  enableLocalhostAuthBypass: false

security:
  authorization: enabled

And here's my Compass config ...

                    Hostname:                       boston
        Port:                           27017
        SRV Record:                     disabled
        Authentication:                 Username/Password
        Username:                       user1
        Password:                       xxxx
        SSL:                            Server and Client Validation
        Certification Authority:        ca.pem
        Client Certificate:             client.crt
        Client Private key:             client.key
        Client Key Password:            <blank>
        SSH Tunnel:                     None
        Favorite Name:                  boston

And here's the mongo command line ...

# /opt/mongo/bin/mongo --ssl --sslCAFile /db/mongo/ssl/ca.pem -sslPEMKeyFile /db/mongo/ssl/client.pem --host boston --port 27017 -u user1 -p xxxx --authenticationDatabase admin

Thanks,

Jeff

[Tom Hollander]

Thanks Jeff, I'll replicate this myself and get back to you.

Just one more quick question - the subject of this thread is about self-signed certs, but from all the discussion you are using a CA. I presume you mean it's a private/untrusted CA, but you're not actually using self-signed certificates?

[Tom Hollander]

Hi Jeff -

I've spent a few hours testing this, and unfortunately it seems that some recent changes we made to the installation process has made it impossible to connect to Mongo clusters using SSL Client certificates. This is because we do more work in Node code, and the Node driver does not support the `sslclientcertificatekeyfile` parameter. Instead you need to pass this info out-of-band to the URI, but our startup script doesn't know to do this.

I've just logged a bug and we should be able to address this before our upcoming GA release. In the meantime I'm afraid you'll need to connect to a Mongo instance without using SSL Client certificates (server certificates should still be fine though).

Sorry for giving you false hope, but on the plus side your question has highlighted an issue which we'll look at.

Tom

[Jeff Chua]

Tom,

Appreciated your help. please send me an email when the release is a available for testing! My email is jeff.ch...@gmail.com

Jeff

[Jeff Chua]

any new updates?

[Tom Hollander]

Hi Jeff - yes, I sent you a private mail with some info about a test build. Let me know if you didn't get it.

On Monday, May 27, 2019 at 1:46:21 PM UTC+10, Jeff Chua wrote:

any new updates?

[René Großmann]

Hey guys,

I'm dealing with exactly the same problem. 

What I have already achieved:

1. Deployment of MongoDB Charts on Kubernetes, includes secret handling, persistent volume claimes, ...

2. Successful connection to my MongoDB deployment secured via X509 (as a data source, the crucial hint was to use the Go driver connection string)

Until now I use an unsecured local meta database as mentioned before for the settings of MongoDB Charts. 

My goal is to use the same production ready deployment for the setttings of MongoDB Charts and for my data.

Could you give me also some information about a possible solution?

And another question:

There are newer docker images (1.13 and 1.14) than the offical latest one (0.12.0)? Do you have any information about these images?

Thank you,

René

[Tom Hollander]

Hi René -

We'll have an update to the 0.12 on-prem release in June which should address the client certificate issue raised by Jeff.

Our Docker registry does have additional builds, including builds we release to Atlas and intermediate development builds. We don't stop anyone from accessing those, but if you use a build that's not listed on our Download Centre then keep in mind that we haven't done thorough testing for on-prem setups, there may be known bugs, and we can't provide any support. 

The :next tag has our latest build (usually a dev or release candidate version). You can try that and see if it addresses your specific issue, but again these are pre-release builds which likely contain other issues so tread carefully!

Tom

[Jeff Chua]

Thanks Tom for the :next tag, looks good with SSL connection.

Thanks,
Jeff

[René Großmann]

Hey Tom,

thanks again for your help. 

There is a new release 19:06 and due to the bug fix list: Charts can now be configured to use metadata clusters with SSL client certificates.

I manually tried to connect to my own cluster via the note.js driver with SSL=true and the necessary options to validate client certificates.

I used the code from: https://mongodb.github.io/node-mongodb-native/2.1/tutorials/connect/ssl/

The docs missing any information how to co configure Charts to use metadata cluster with SSL client certificates!

Could you provide a short solution ?

Thanks,

René

[René Großmann]

Well after some debugging and investigations on the charts-cli.js I found a solution, one bug and also one very confusing fact:

Solution to use client certs for the metadata cluster:

1. Provide the secret "charts-mongodb-uri" as: 

echo "mongodb://<user>:<pw>@<server:port>/[db or in my case its empty]?authsource=admin&ssl=true&sslclientcertificatekeyfile=/mongodb-charts/volumes/db-certs/client.pem&sslcertificateauthorityfile=/mongodb-charts/volumes/db-certs/ca.pem" | docker secret create charts-mongodb-uri -

2. Copy your ca.pem and client.pm via docker exec -it ... to the db-certs volume.

Found Bug:

The charts-cli test-connection function DOES NOT use the function buildMongoNodeClientOptions(uri) to extract the certificate information from the metadatabase uri. So the command fails... even if everything is working elsewhere.

Confusing Fact:

The provided function buildMongoNodeClientOptions(uri) in the charts-cli.js file only works, if the concatenated client.pem file has the following structure: 

Certificate:...

-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE----- ...-----END CERTIFICATE-----

In my case the the private key section and the certificate section were reversed, so the buildMongoNodeClientOptions function failed, because of the used regular expression and the hard-coded expected structure of the concatenated file. 

This has to be documented in the official documentation or (my prefered way) the function should be improved to be robust against the structure of the concatenated client file.

[Tom Hollander]

Hey Rene -

Apologies that the documentation is lacking, but I'm glad you got this working. I'll work to get the docs improved, and thanks for sharing the correct solution in the meantime.

Re the bug - I believe you may be mistaken on this one. I just checked the code and we do indeed use buildMongoNodeClientOptions in the test-connection script (it may be hard to see in the minified code in the container?). I suspect it may not be working because the recommended way to run this (using docker run) will not mount the volumes by default - you'll need to add the volumes using the -v docker option in order for the keys to be available for this command. Let me know if I'm right on this.

Re the confusing fact - you are right on this one. The cert files I had used the order expected by the app, and I (possibly incorrectly) assumed that this was standardised. If the reverse format is acceptable we can update future versions of the installer to be more tolerant.

thanks

Tom

[René Großmann]

Hey Tom,

You are right. 

I directly tested the docker-cli test-connection command in my running container on kubernetes and its working fine.

There error I got in the first place was maybe because of my reversed order of the client.pem file.

So thanks again for your help!!!

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/be2154a0-4d7e-4418-ab53-090f418a11df%40googlegroups.com.