I have implemented MongoDB TLS encryption on the server side (using self signed certs), with the following configuration.
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/data/db"
journal:
enabled: true
net:
bindIpAll: true
port: 27017
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongod.pem
How do I connect to this instance from client and verify that the TLS encryption is successful?
CodePudding user response:
Verification is simple, because you set requireTLS
. If you can connect to the MongoDB, then TLS encryption is also successful, otherwise you cannot connect.
When you enable TLS, I assume you would also like to enable authorization. You would need to add.
security:
authorization: enabled
If you authenticate user by username/password then you have to set allowConnectionsWithoutCertificates
net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongod.pem
allowConnectionsWithoutCertificates: true
Connection would be like this:
mongosh 'mongodb://user:password@hostname/?authSource=admin&tls=true&tlsCAFile=/etc/ssl/certs/ca-bundle.crt'
Note, if you use the legacy mongo shell, then you cannot use TLS setting in URI, instead use
mongo 'mongodb://user:password@hostname/?authSource=admin' --tls --tlsCAFile /etc/ssl/certs/ca-bundle.crt
Without allowConnectionsWithoutCertificates
you would need also a certificate on the client, see Use x.509 Certificates to Authenticate Clients
If you just like to verify the TLS settings, I recommend openssl tool:
openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-bundle.crt -brief -connect your_hostname:27017 <<< "Q"