MongoDB Self-signed SSL connection: SSL peer certificate validation failed
After some searching, it seems like this error is due to the fact that the hostname "CN" was incorrect.
From digitalocean:
Whenever you generate a CSR, you will be prompted to provide information regarding the certificate. This information is known as a Distinguised Name (DN). An important field in the DN is the Common Name (CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with.
Also from MongoDB documentation:
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.
SOLUTION:
I regenerated the keys, replaced localhost with any other hostname in the CN = <hostname> and completed the guide by Wan Bachtiar.
Running the following command after completion worked:
$ mongo --port 27017 -u '<_username_>' -p '<_password_>'
--authenticationDatabase "<_my db_>" --ssl --sslPEMKeyFile
/etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem --host localhost
Note: The MongoDB folows a strict ruling of who has access to what db, a quick test in the mongo shell:
> show dbs
return an error. However, my user actually only have access to the db specified in "<my db>", so looping through the rows in "<my db>" works perfectly.
Mattis Asp
I am both a hardware and software developer, with background from a master program at NTNU trondheim. I work mostly with low level programming on MCU's, and has experience with (Atmel) now Microchip, NXP, TI, and Nordic Semiconductor. I tackle most computer issues, and also do high level programming. My experience (currently working on) involve collecting, deciding, procuring, and organizing full scale electronic systems for medical device manufacturing including data collection and visual aids. Some of my work also involve robotic movements in micrometer scale. I enjoy collaborative work and communities, and have played around with raspberry pi on many occasions. I also love crypto currencies and have worked on the Etherium project. I am Norwegian and I often go out to ski when I have time.
Updated on July 09, 2022Comments
-
Mattis Asp almost 2 years
I have followed this guide Self-signed SSL connection using PyMongo, by Wan Bachtiar to create three .pem files; server.pem, client.pem and ca.pem.
I am using Ubuntu 16.04 and MongoDB v3.2.11.
The purpose is to secure the MongoDB before opening it to the public internet.
lets start the mongod:
$ mongod --auth --port 27017 --dbpath /data/db1 --sslMode requireSSL --sslPEMKeyFile /etc/ssl/server.pem --sslCAFile /etc/ssl/ca.pem --sslAllowInvalidHostnames &Output:
root@tim:/etc/ssl# 2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] MongoDB starting : pid=19058 port=27017 dbpath=/data/db1 64-bit host=tim 2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] db version v3.2.11 2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] git version: 009580ad490190ba33d1c6253ebd8d91808923e4 2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] allocator: tcmalloc 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] modules: none 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] build environment: 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distmod: ubuntu1604 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distarch: x86_64 2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] target_arch: x86_64 2017-01-13T12:58:55.153+0000 I CONTROL [initandlisten] options: { net: { port: 27017, ssl: { CAFile: "/etc/ssl/ca.pem", PEMKeyFile: "/etc/ssl/server.pem", allowInvalidHostnames: true, mode: "requireSSL" } }, security: { authorization: "enabled" }, storage: { dbPath: "/data/db1" } } 2017-01-13T12:58:55.211+0000 I - [initandlisten] Detected data files in /data/db1 created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'. 2017-01-13T12:58:55.212+0000 W - [initandlisten] Detected unclean shutdown - /data/db1/mongod.lock is not empty. 2017-01-13T12:58:55.212+0000 W STORAGE [initandlisten] Recovering data from the last clean checkpoint. 2017-01-13T12:58:55.212+0000 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_max=4) ,config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0), 2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended. 2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten] 2017-01-13T12:58:55.895+0000 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db1/diagnostic.data' 2017-01-13T12:58:55.897+0000 I NETWORK [initandlisten] waiting for connections on port 27017 ssl 2017-01-13T12:58:55.897+0000 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker 2017-01-13T12:58:56.026+0000 I FTDC [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OKAfter running the mongod, I start the mongo shell:
$ mongo --port 27017 -u "my username" -p "my password" --authenticationDatabase "" --ssl --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem --host timThe output is similar to the question by Marshall Farrier; lets have a look.
MongoDB shell version: 3.2.11 connecting to: 127.0.0.1:27017/datatest 2017-01-13T12:35:58.247+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:38902 #8 (1 connection now open) 2017-01-13T12:35:58.259+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate 2017-01-13T12:35:58.259+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate : connect@src/mongo/shell/mongo.js:231:14 @(connect):1:6 2017-01-13T12:35:58.263+0000 E NETWORK [conn8] SSL peer certificate validation failed: self signed certificate 2017-01-13T12:35:58.263+0000 I NETWORK [conn8] end connection 127.0.0.1:38902 (0 connections now open)What am I doing wrong?