mongodb and SSL support
Hi, I've enabled requireSSL on my mongo 3.2 rs and although the stats are being collected correctly, I can no longer issue commands through clustercontrol like restart node. The job fails because there is no obvious ssl support for the mongo cli. e.g. ability to specify parameters like --ssl, --host, --SSLCAFile
-----
Failed command 'mongo 127.0.0.1:27017/admin --username blah --password blah --authenticationDatabase admin --eval "db.shutdownServer({force: false, stopTimeoutSecs: 1800})"'. ExitCode: 1
StdErr:
StdOut:Percona Server for MongoDB shell version: 3.2.18-3.9
connecting to: 127.0.0.1:27017/admin
2018-09-12T08:51:20.393+0000 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6
----
I dont see it mentioned anywhere in the docs and I'm not sure where the commands exist within the product (are they in the mysql db or in a editable script). I'd love to have this work either officially or through a hack. Any thoughts? or an ability to exclude localhost connections from SSL requirements?
Thanks
Ross
-
Hello Ross,
As of now, you can try to set :net.ssl.mode: preferSSL
instead of
net.ssl.mode: requireSSLThe preferSSL will allow non ssl connections, so CC will work. However, please bear in mind it will be possible to connect without ssl from any host allowed to connect.
Kind regards,
Bart -
Hi Bart
Thanks for the response. Unfortunately preferSSL leaves server to server replication unencrypted. According to the docs only requireSSL forces both replication and client connections. My main requirement is server to server. I was hoping there would be a way to force mongo client to default to ssl via config file (similar to mysql.cnf) but there doesnt seem to be anything.
Any idea where the stop/start commands are defined in the product? in a bash file or in a sql table? I can then manually hack it until supported.
Many thanks
Ross
-
Hi Ross, Appreciate your feedback. Strict method requireSSL is not yet supported, but developers will address that in the next releases. However, for the connections where the key is present preferSSL method will make them encrypted, so it should be able to secure them even if at this point it's not enforced for all connections.
Please sign in to leave a comment.
Comments
4 comments