I have implemented MongoDB TLS encryption on the server side (using self signed certs), with the following configuration.
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/data/db"
journal:
enabled: true
net:
bindIpAll: true
port: 27017
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongod.pem
How do I connect to this instance from client and verify that the TLS encryption is successful?
Verification is simple, because you set requireTLS. If you can connect to the MongoDB, then TLS encryption is also successful, otherwise you cannot connect.
When you enable TLS, I assume you would also like to enable authorization. You would need to add.
security:
authorization: enabled
If you authenticate user by username/password then you have to set allowConnectionsWithoutCertificates
net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongod.pem
allowConnectionsWithoutCertificates: true
Connection would be like this:
mongosh 'mongodb://user:password@hostname/?authSource=admin&tls=true&tlsCAFile=/etc/ssl/certs/ca-bundle.crt'
Note, if you use the legacy mongo shell, then you cannot use TLS setting in URI, instead use
mongo 'mongodb://user:password@hostname/?authSource=admin' --tls --tlsCAFile /etc/ssl/certs/ca-bundle.crt
Without allowConnectionsWithoutCertificates you would need also a certificate on the client, see Use x.509 Certificates to Authenticate Clients
If you just like to verify the TLS settings, I recommend openssl tool:
openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-bundle.crt -brief -connect your_hostname:27017 <<< "Q"