背景 我正在尝试以与生产运行相同的方式在本地运行mongo,并启用完整的ssl验证。 Mongo抱怨证书是自签名的,但是我正在指定一个ca.crt文件,我认为应该将其视为根证书进行验证。如果这是合理的,那么我认为我的mongo配置或证书生成不正确。
SSL密钥/证书/ pem 要创建ssl东西,我正在运行以下
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev@gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev@gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev@gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo数据库配置 我正在运行的mongo配置(在docker内),如下所示。 (其中/ data / mongo是上面生成的位置)。
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
并通过
运行mongo --config config/location
连接到mongo 然后我尝试使用mongo命令行连接到服务器,如下所示。
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
获得以下输出
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:229:14
@(connect):1:6
exception: connect failed
答案 0 :(得分:1)
知道了!基本上它需要主题行中的更多数据,或CN需要为ROOTCA。任何可以评论为什么会受到赞赏的人。
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
如果有人遇到类似的麻烦,有些相关资源
发现/摘自
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
也可以在
找到几乎与我相同的堆叠兑换券