How to correctly configure MongoDB to use Letsencrypt SSL on Ubuntu
Solution 1
You combine the wrong pem files. You need to combine privkey.pem
with cert.pem
.
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/ssl/mongo.pem
For the CAFile you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html
sudo touch /etc/ssl/ca.crt
sudo chmod 777 /etc/ssl/ca.crt
Add the certificate of the website, add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and make sure you end with a new line saving the file:
sudo vi /etc/ssl/ca.crt
Then convert the crt file to a pem using:
sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
And combine with chain.pem
from Let's Encrypt into a single file ca.pem
sudo cat /etc/letsencrypt/live/example.com/chain.pem >> /etc/ssl/ca.pem
To set the CAFile follow this mongo configuration setup:
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongo.pem
CAFile: /etc/ssl/ca.pem
Restart MongoDB:
sudo systemctl restart mongod
sudo systemctl status mongod
Don't forget the moment when you renew the Let's Encrypt certificates, you need to renew also mongo.pem
and ca.pem
.
Solution 2
The CA file you need can be obtained from Letsencrypt, look for one of the intermediate certificates here:
https://letsencrypt.org/certificates/
Then, specify the path to that certificate with the SSL CAFile option.
Related videos on Youtube
Comments
-
Petah over 1 year
How do I correctly configure MongoDB to use Letsencrypt SSL on Ubuntu?
I have created an SSL certificate using Letsencrypt and combined it via:
cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/ssl/mongo.pem
And setup mongo config like:
net: port: 27017 bindIp: 0.0.0.0 ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongo.pem
But I get this error when trying to start Mongo:
No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
How do I correctly set the CAFile? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either.
Im using Mongo v3.0.12 and Ubuntu 14.04
-
Michael Hampton over 7 yearsI would first try doing what the error message suggests.
-
Petah over 7 years@MichaelHampton But where/what CA File am I supposed to use? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either.
-
-
Rodrigo Pinto over 6 yearsAwesome answer! I can't thank you enough. Why did you use a CAFile from Identrust instead of Let's Encrypt (letsencrypt.org/certificates)?
-
Herman Fransen over 6 years@RodrigoPedroso - Good question, don't know.
-
devansvd over 4 yearsBecause let's encrypt is quite new at that time, they are using Identrust to cross sign their certificates. You can download it directly from letsencrypt.org/certs/trustid-x3-root.pem.txt. Now Let's encrypt is widely trusted