Ssl

無法通過 SSL 連接到 MongoDb

  • October 21, 2016

我正在嘗試按照這些說明通過 SSL 連接到 MongoDB: https ://gist.github.com/leommoore/1e773a7d230ca4bbe1c2

我做的一個小改動是使用certbot certonly而不是letsencrypt-auto certonly.

在我的 /etc/letsencrypt/live/redacted.exampledomain.com/

lrwxrwxrwx. 1 root root 51 Oct 19 05:42 cert.pem -> ../../archive/redacted.exampledomain.com/cert1.pem
lrwxrwxrwx. 1 root root 52 Oct 19 05:42 chain.pem -> ../../archive/redacted.exampledomain.com/chain1.pem
lrwxrwxrwx. 1 root root 56 Oct 19 05:42 fullchain.pem -> ../../archive/redacted.exampledomain.com/fullchain1.pem
lrwxrwxrwx. 1 root root 54 Oct 19 05:42 privkey.pem -> ../../archive/redacted.exampledomain.com/privkey1.pem

在我的 /etc/letsencrypt/archive/redacted.exampledomain.com/ 目錄中,我有:

-rw-r--r--. 1 root root 1830 Oct 19 05:42 cert1.pem
-rw-r--r--. 1 root root 1647 Oct 19 05:42 chain1.pem
-rw-r--r--. 1 root root 3477 Oct 19 05:42 fullchain1.pem
-rw-r--r--. 1 root root 1704 Oct 19 05:42 privkey1.pem

這是我用來自動化該過程的腳本:

#!/bin/bash
# from: https://gist.github.com/leommoore/1e773a7d230ca4bbe1c2
SOURCE=/etc/letsencrypt/live/redacted.exampledomain.com
DEST=/etc/ssl/mongodb
cat ${SOURCE}/privkey.pem ${SOURCE}/cert.pem > ${DEST}/mongodb.pem
# (also tried this...)
# cat ${SOURCE}/privkey.pem ${SOURCE}/fullchain.pem > ${DEST}/mongodb.pem

if [ ! -e ${DEST}/ca.crt ] ; then
   # from: https://www.identrust.com/certificates/trustid/root-download-x3.html
   echo "-----BEGIN CERTIFICATE-----" > ${DEST}/ca.crt
   echo "MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/" >> ${DEST}/ca.crt
   echo "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT" >> ${DEST}/ca.crt
   echo "DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow" >> ${DEST}/ca.crt
   echo "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD" >> ${DEST}/ca.crt
   echo "Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" >> ${DEST}/ca.crt
   echo "AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O" >> ${DEST}/ca.crt
   echo "rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq" >> ${DEST}/ca.crt
   echo "OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b" >> ${DEST}/ca.crt
   echo "xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw" >> ${DEST}/ca.crt
   echo "7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD" >> ${DEST}/ca.crt
   echo "aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV" >> ${DEST}/ca.crt
   echo "HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG" >> ${DEST}/ca.crt
   echo "SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69" >> ${DEST}/ca.crt
   echo "ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr" >> ${DEST}/ca.crt
   echo "AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz" >> ${DEST}/ca.crt
   echo "R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5" >> ${DEST}/ca.crt
   echo "JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo" >> ${DEST}/ca.crt
   echo "Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ" >> ${DEST}/ca.crt
   echo "-----END CERTIFICATE-----" >> ${DEST}/ca.crt
   cat ${SOURCE}/chain.pem >> ${DEST}/ca.crt # also tried fullchain.pem, did not work
fi
openssl x509 -in ${DEST}/ca.crt -out ${DEST}/ca.pem -outform PEM
openssl verify -CAfile ${DEST}/ca.crt ${DEST}/mongodb.pem

當我執行它時,它輸出:/etc/ssl/mongodb/mongodb.pem: OK

我已將這些行添加到/etc/mongod.conf

ssl:
 mode: requireSSL
 PEMKeyFile: /etc/ssl/mongodb/mongodb.pem
 CAFile:     /etc/ssl/mongodb/ca.pem

重新啟動了服務。

我已將 2 個 .pem 文件複製到遠端主機,並嘗試使用以下命令進行遠端連接:

mongo --ssl -sslCAFile ${HOME}/mongodb/ca.pem --sslPEMKeyFile ${HOME}/mongodb/mongodb.pem redacted.exampledomain.com:27017/testdb

這是我收到的錯誤消息:

2016-10-19T18:53:21.851-0700 E NETWORK  [thread1] SSL peer certificate validation failed: unable to verify the first certificate
2016-10-19T18:53:21.852-0700 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to verify the first certificate :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6

exception: connect failed

我究竟做錯了什麼?我怎樣才能解決這個問題?我的最終目標是將數據從parse.com我自己的伺服器遷移。

這現在與這個組合有關:

  • 在 shell 腳本中,使用 fullchain.pem 而不是 cert.pem
  • mongod.conf中,不包括CAFile:一行

安裝腳本:

#!/bin/bash
# from: https://gist.github.com/leommoore/1e773a7d230ca4bbe1c2
SOURCE=/etc/letsencrypt/live/redacted.exampledomain.com
DEST=/etc/ssl/mongodb
# use fullchain.pem instead of cert.pem
# cat ${SOURCE}/privkey.pem ${SOURCE}/fullchain.pem > ${DEST}/mongodb.pem

if [ ! -e ${DEST}/ca.crt ] ; then
   # from: https://www.identrust.com/certificates/trustid/root-download-x3.html
   echo "-----BEGIN CERTIFICATE-----" > ${DEST}/ca.crt
   echo "MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/" >> ${DEST}/ca.crt
   echo "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT" >> ${DEST}/ca.crt
   echo "DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow" >> ${DEST}/ca.crt
   echo "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD" >> ${DEST}/ca.crt
   echo "Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" >> ${DEST}/ca.crt
   echo "AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O" >> ${DEST}/ca.crt
   echo "rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq" >> ${DEST}/ca.crt
   echo "OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b" >> ${DEST}/ca.crt
   echo "xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw" >> ${DEST}/ca.crt
   echo "7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD" >> ${DEST}/ca.crt
   echo "aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV" >> ${DEST}/ca.crt
   echo "HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG" >> ${DEST}/ca.crt
   echo "SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69" >> ${DEST}/ca.crt
   echo "ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr" >> ${DEST}/ca.crt
   echo "AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz" >> ${DEST}/ca.crt
   echo "R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5" >> ${DEST}/ca.crt
   echo "JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo" >> ${DEST}/ca.crt
   echo "Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ" >> ${DEST}/ca.crt
   echo "-----END CERTIFICATE-----" >> ${DEST}/ca.crt
   cat ${SOURCE}/chain.pem >> ${DEST}/ca.crt
fi
openssl x509 -in ${DEST}/ca.crt -out ${DEST}/ca.pem -outform PEM
openssl verify -CAfile ${DEST}/ca.crt ${DEST}/mongodb.pem

/etc/mongod.conf:

ssl:
 mode: requireSSL
 PEMKeyFile: /etc/ssl/mongodb/mongodb.pem
 # do not add a CAFile:entry

引用自:https://serverfault.com/questions/810533