MongoDB: Getting SSL peer certificate validation failed: self signed certificate
In your mongod configuration file, you specify SSL mode to be requireSSL
. This means that the mongod
server, only uses and accepts TLS/SSL encrypted connections.
The client mongo
shell in your case, needs to specify --sslPEMKeyFile to pass the clients PEM file.
See also mongo shell SSL configuration or Tutorial: configure SSL for clients.
The 2 last ones I added since I am getting a connection failure.
In regards to security, be extra careful enabling configurations. Please see the two parameters description for what they're for : --allowInvalidCertificates and --allowInvalidHostnames
Related videos on Youtube
sagioto
Updated on September 18, 2022Comments
-
sagioto over 1 year
I followed this tutorial to create a both a root CA certificate and then used it to sign a key for the mongod server. I run monogd with this configuration, by following this doc:
net: ssl: mode: requireSSL PEMKeyFile: /home/user/device.pem CAFile: /home/user/rootCA.pem allowInvalidCertificates: true allowInvalidHostnames: true
The 2 last ones I added since I am getting a connection failure.
I'm using these lines to connect:
./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl --sslAllowInvalidCertificates --sslCAFile ~/Downloads/rootCA.pem ./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl --sslAllowInvalidCertificates ./mongo <host>:<port>/<db> -u <user> -p <pwd> --ssl
But all of these produce:
MongoDB shell version v3.4.2 connecting to: mongodb://<host>:<port>/<db> 2017-03-30T14:39:15.307+0300 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate 2017-03-30T14:39:15.311+0300 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate : connect@src/mongo/shell/mongo.js:237:13 @(connect):1:6 exception: connect failed
Any idea what am I doing wrong? I know it's a self signed certificate Will appreciate your help
Also tried following the answer in here: https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898
-
sagioto about 7 yearsAre you sure that clients have to have certificates? I understood that's the case only if I specify the CAFile parameter as well. regarding security, of course I'm only trying to relax the restrictions as far as possible to make the connection work and then restrict it again once I figure out what is wrong, and it's not production or have any data in it at all...