Mongo SSL configuration practice

【 Preface 】
ssl Configure process steps , You can deal with it in the following order .
1. Generate Certificate , Root certificate , Server certificate , Client certificate
2. Configure server ssl To configure , test shell visit ssl The service side , visit mongo

One 【openssl】

Server side ssl To configure .

1.1 Generate root certificate

#-x509： Used to generate self signed certificates , If it is not a self signed certificate, it is not required
#-days: The validity period of the certificate , The default is 365 God
# Direct input with parameters , Just enter the password directly
openssl req -out ca.pem -new -x509 -days 3650 -subj “/C=CN/ST=fujian/O=devops/CN=server1/CN=devops/[email protected]”
# The password can be configured by yourself ,passwd

1.2 Generate server certificate

Generate server private key

openssl genrsa -out server.key 2048

Generate server-side application file cat server.req

#CN=localhost yes mongo The domain name information of the node where the machine is running , If it is not right, it will report an error
openssl req -key server.key -new -out server.req -subj “/C=CN/ST=fujian/O=devops/CN=server1/CN=localhost/[email protected]”

Generate server-side certificates

openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650

Merge server-side private key and server-side certificate , Generate server.pem

cat server.key server.crt > server.pem

Verify the server side pem file

openssl verify -CAfile ca.pem server.pem

1.3 Generate client certificate

Generate client private key

openssl genrsa -out client.key 2048

Generate client application file

#CN=localhost yes mongo The domain address of the service , This needs to be modified according to your business
openssl req -key client.key -new -out client.req -subj “/C=CN/ST=fujian/O=devops/CN=server1/CN=localhost/[email protected]”

Generate client certificate

openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl -out client.crt -days 3650

Merge client private key and client certificate , Generate client.pem

cat client.key client.crt > client.pem

Check client pem file

openssl verify -CAfile ca.pem client.pem

Two 【mongodb To configure ssl】

2.1 Modify the configuration file ,mongodb.conf

Add the following ssl To configure

sslOnNormalPorts = true
sslPEMKeyFile = /data/conf/server.pem
sslPEMKeyPassword = pass
sslCAFile = /data/conf/ca.pem

2.2 shell Client connection mode

mongo --sslAllowInvalidCertificates --sslAllowInvalidHostnames --ssl --sslPEMKeyFile /data/conf/client.pem --sslCAFile /data/conf/ca.pem --host 127.0.0.1

2.3 navicat Client connection configuration