How to correctly configure MongoDB to use Letsencrypt SSL on Ubuntu

ubuntu ssl ubuntu-14.04 tls mongodb
5,354

Solution 1

You combine the wrong pem files. You need to combine privkey.pem with cert.pem.

cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/ssl/mongo.pem

For the CAFile you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html

sudo touch /etc/ssl/ca.crt
sudo chmod 777 /etc/ssl/ca.crt

Add the certificate of the website, add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and make sure you end with a new line saving the file:

sudo vi /etc/ssl/ca.crt

Then convert the crt file to a pem using:

sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM

And combine with chain.pem from Let's Encrypt into a single file ca.pem

sudo cat /etc/letsencrypt/live/example.com/chain.pem >> /etc/ssl/ca.pem

To set the CAFile follow this mongo configuration setup:

net:  
  port: 27017
  bindIp: 0.0.0.0
  ssl:  
    mode: requireSSL  
    PEMKeyFile: /etc/ssl/mongo.pem
    CAFile: /etc/ssl/ca.pem

Restart MongoDB:

sudo systemctl restart mongod
sudo systemctl status mongod

Don't forget the moment when you renew the Let's Encrypt certificates, you need to renew also mongo.pem and ca.pem.

Solution 2

The CA file you need can be obtained from Letsencrypt, look for one of the intermediate certificates here:

https://letsencrypt.org/certificates/

Then, specify the path to that certificate with the SSL CAFile option.

Share:
5,354

Related videos on Youtube

Petah
Author by

Petah

All your base are belong to us!

Updated on September 18, 2022

Comments

  • Petah
    Petah over 1 year

    How do I correctly configure MongoDB to use Letsencrypt SSL on Ubuntu?

    I have created an SSL certificate using Letsencrypt and combined it via:

    cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/ssl/mongo.pem

    And setup mongo config like:

    net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongo.pem

    But I get this error when trying to start Mongo:

    No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter

    How do I correctly set the CAFile? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either.

    Im using Mongo v3.0.12 and Ubuntu 14.04

    • Michael Hampton
      Michael Hampton over 7 years
      I would first try doing what the error message suggests.
    • Petah
      Petah over 7 years
      @MichaelHampton But where/what CA File am I supposed to use? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either.
  • Rodrigo Pinto
    Rodrigo Pinto over 6 years
    Awesome answer! I can't thank you enough. Why did you use a CAFile from Identrust instead of Let's Encrypt (letsencrypt.org/certificates)?
  • Herman Fransen
    Herman Fransen over 6 years
    @RodrigoPedroso - Good question, don't know.
  • devansvd
    devansvd over 4 years
    Because let's encrypt is quite new at that time, they are using Identrust to cross sign their certificates. You can download it directly from letsencrypt.org/certs/trustid-x3-root.pem.txt. Now Let's encrypt is widely trusted

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't authenticate on mongodb with PHP
Disable/remove Let's Encrypt?
Failed tls handshake. Does not contain any IP SANs
How to troubleshoot "Secure Connection Failed" in Firefox appearing since the version 38?
MongoDB Failing to Start - ***aborting after fassert() failure
sudo service mongodb restart gives "unrecognized service error" in ubuntu 14.0.4
Mongo SSL with Java Exception sending message
git clone: GnuTLS recv error (-9): A TLS packet with unexpected length was received
mongodump and mongorestore with SSL
sudo service mongod start : mongod: unrecognized service