Unable to connect to MongoDB server with authentication
we are trying to install and configure MongoDB (version 7.0) on our Ubuntu server. We used this document as our guide. This is what we did step by step (after having installed MongoDB server on the Ubuntu machine) from command line:
1 – Connect to one of the hosts and generate a new private key using openssl:
openssl genrsa -out mongoCA.key -aes256 8192
2 – Sign a new CA certificate:
openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 365 -out mongoCA.crt
3 – Issue self-signed certificates for all nodes
openssl req -new -nodes -newkey rsa:4096 -keyout mongossl1.key -out mongossl1.csr
openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 365 -in mongossl1.csr -out mongossl1.crt
cat mongossl1.key mongossl1.crt > psmdb1.pem
This is our MongoDB configuration on our Ubuntu host machine:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/mongodb/ssl/psmdb1.pem
CAFile: /etc/mongodb/ssl/mongoCA.crt
security:
authorization: enabled
clusterAuthMode: x509
Then we restart the MongoDB server on Ubuntu host.
Then we start mongo-shell (mongosh) on the Ubuntu host machine (the same one where MongoDB was just now configured and restarted), it is able to connect to that MongoDB instance fine.
However, when trying to connect from outside the mongo shell, either in the same Ubuntu host, or some other VM, through some client like PyMongo or even Compass, we are getting errors.
mongo --tls --tlsCAFile /etc/ssl/new/mongoCA.crt --tlsCertificateKeyFile /etc/ssl/new/psmdb1.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' --host <our Ubuntu host public IP address> --port 27017
Any idea how to fix this?
You mixed up several topics.
security.clusterAuthMode: x509 is used for internal membership authentication in a Sharded Cluster and/or Replica Set. It looks like, you use a MongoDB Stand-alone instance, thus it does not apply.
In MongoDB you can use a server certificate to encrypt the connection. The server certificate is also used to guarantee that you connect to the correct server.
A client can authenticate with username/password or a client certificate.
In principle it is possible to use one single certificate for all, however it does not make much sense. Better create two certificates, one for the server and one for the client. You must also create the x.509 user. Have a look at Use x.509 Certificates to Authenticate Clients and How Security in MongoDB works (using x.509 cert) to get a generic overview.
Update
Based on your comment, your config-file is almost correct.
As already mentioned security.clusterAuthMode is not relevant on a Stand-alone MongoDB, you can skip it. You should use tls options instead of deprecated ssl options:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/mongodb/ssl/psmdb1.pem
CAFile: /etc/mongodb/ssl/mongoCA.crt
security:
authorization: enabled
When you connect to MongoDB then you have to use these parameters
mongosh --tls --tlsCAFile /etc/ssl/new/mongoCA.crt --tlsCertificateKeyFile /etc/ssl/new/psmdb1.pem --authenticationDatabase 'admin' --user 'username' --password 'secret' --host <our Ubuntu host public IP address> --port 27017
Legacy mongo shell mongo has been removed in MongoDB version 6.0. Port 27017 is the default, thus you can skip it.
Options --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' are used when you like to authenticate the client with x.509 certificate - which you are not asking for.
Read/write privileges are defined granted roles in createUser command. IP ranges you can restrict with parameter authenticationRestrictions, for example
use admin
db.runCommand(
{
createUser: "api",
pwd: "secret"
roles: [
{ role: "dbOwner", db: "application" }
],
authenticationRestrictions: [
{ clientSource: [ "10.20.30.0/24" ]
]
}
)
As I already mentioned, I would suggest to create dedicated client and server certificate, see extendedKeyUsage
- Mongoose Activity model with dynamic reference
- Mongoose Unique index not working!
- Error: Accessing non-existent property. Module exports in circular dependency
- MongoDB Full and Partial Text Search
- How to import Wikipedia XML dump into MongoDB?
- MongoDB - change simple field into an object
- MongoDB .deleteOne not working in Node.js
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- mongodb fulltext searching strategy
- MongoDB: Understand createUser and db admin
- Mongodb how to insert ONLY if does not exists (no update if exist)?
- MongoDB aggregate group condition
- Cannot overwrite model once compiled Mongoose
- Update array of Refs with sorted array in Mongo collection
- Config "eviction" for MongoDB in docker compose
- How to install mongodb PHP extension for PHP 7.1 in 2024
- Error Connecting MongoDB with JDBC: CommandNotFound for 'sqlGetResultSchema'
- Connection to mongodb remote server from windows
- How to write an efficient mongo query for complex structures
- How to seed a MongoDB single node replica set when the container starts
- Creating a dictionary schema with Mongoose
- Mongodb findOneAndUpdate - check if new document added, or just updated
- MongoDB GPG - Invalid Signatures
- Sorting the data in mongodb
- SpringData Mongo @Column equivalent annotation (@Property?)
- I am unable to get Mongoose Aggregate method to work
- How do I connect via Node.js to a DocDB cluster from local test computer?
- How to exclude number in MongoDB filter $gte and $lte
- Failed to import MongoDB libraries
- Unable to create/open lock file: /data/mongod.lock errno:13 Permission denied