时间戳

首页 > 解决方案 > 使用测试自签名证书的 MongoDB Shell 连接错误

mongodb - 使用测试自签名证书的 MongoDB Shell 连接错误

问题描述

我正在尝试使用自签名证书测试 mongoDB 安装。我按照 mongoDB 文档中的说明使用每个页面上的复制链接创建“pem”文件:

附录 A - 用于测试的 OpenSSL CA 证书
附录 B - 用于测试的 OpenSSL 服务器证书
附录 C - 用于测试的 OpenSSL 客户端证书

我更新了 /etc/mongod.conf 如下:

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb/test-server1.pem
    allowConnectionsWithoutCertificates: true
    allowInvalidHostnames: true
    allowInvalidCertificates: true
    CAFile: /etc/ssl/mongodb/mongodb-test-ca.crt

最初我没有“允许”选项,但它们没有任何区别,所以我暂时离开。

运行 mongodb shell 会导致此错误:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:07:25.809+0000 E  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
2020-04-17T17:07:25.810+0000 E  QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-04-17T17:07:25.812+0000 F  -        [main] exception: connect failed
2020-04-17T17:07:25.812+0000 E  -        [main] exiting with code 1
root@ip-10-0-3-61:~/mongo-cert#

如果我在命令中添加“--tlsAllowInvalidCertificates”,它将起作用:

root@ip-10-0-3-61:~/mongo-cert# mongo --tls --tlsCertificateKeyFile test-client.pem  --tlsAllowInvalidCertificates
MongoDB shell version v4.2.5
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-17T17:09:18.934+0000 W  NETWORK  [js] SSL peer certificate validation failed: self signed certificate in certificate chain
Implicit session: session { "id" : UUID("3b0d0920-931d-4143-a8a2-afde432c1444") }
MongoDB server version: 4.2.5
>


I have read other people who have followed the mongodb instructions successfully. 

I just do not understand what I have done wrong.

标签: mongodbopensslssl-certificate

解决方案

除了客户端证书之外,您还需要提供 CA 文件mongo(选项)。--tlsCAFile

当使用 TLS 启用完整验证时,服务器和客户端都会验证对方的证书。这意味着两者都必须有权访问用于签署叶证书的 CA 证书。

推荐阅读