I am trying to setup mongodump along with TLS/SSL encryption. I have been following various articles for this: Self-signed SSL connection using PyMongo, https://mydbops.wordpress.com/2020/05/02/securing-mongodb-cluster-with-tls-ssl/ and some more.
So, I have generated the CA certificates.
#Create CA Private Certificate
openssl genrsa -passout pass:<password> -out ca.key -aes256 8192
#Sign CA Public Certificate
openssl req -x509 -new -extensions v3_ca -passin pass:<password> -key ca.key -days 365 -out ca-pub.crt -subj "/C=XX/L=Default City/O=Default Company Ltd"
Then, created a key for the MongoDB server and self signed it using the CA.
openssl req -nodes -newkey rsa:4096 -sha256 -keyout mongod.key -out mongod.csr -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=<host-name-IP>";
openssl x509 -req -in mongod.csr -CA ca-pub.crt -passin pass:<password> -CAkey ca.key -CAcreateserial -out mongod.crt;
cat mongod.key mongod.crt > mongod.pem;
Next, I created a conf file for the client with contents as:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = mongo-client.key
prompt = no
[req_distinguished_name]
C = filled-appropriately
ST = filled-appropriately
L = filled-appropriately
O = client
OU = client-team
CN = .
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:<mongodb-server-ip>
Next, using this .conf file, generated a mongo client csr file
openssl req -new -nodes -out mongo-client.csr -config mongo-client.conf
Then, self signed these using the CA certificate.
openssl x509 -req -in mongo-client.csr -CA ca-pub.crt -CAkey ca.key -out mongo-client.crt
cat mongo-client.key mongo-client.crt > mongo-client.pem
I have placed the CA and MongoDB server specific files at appropriate locations(in /etc/ssl) and updated the paths in the mongod.conf file
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca-pub.crt
After updating, performed a daemon-reload and restarted the mongod.service, and moved the ca-pub.crt and mongo-client.pem to the appropriate client server.
Now, when I try connecting to the server using the mongo command, it gets connected successfully.
mongo --tls --tlsCAFile ca-pub.crt --tlsCertificateKeyFile mongo-client.pem --host=<server-IP> -u <username> -p <password>
But, when I try running the mongodump command:
mongodump --host=<server-IP> -u <username> -p <password> --ssl --sslCAFile=ca-pub.crt --sslPEMKeyFile=mongo-client.pem
It gives this error:
Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: <server-IP>, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs }, ] }
Note: In all the above codes, the value of server-IP has been added appropriately.
Can anyone provide the solution for this or any resource which would be helpful. Any help would be appreciated. Thanks.
I referred this link to fix the issue: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line/183973?newreg=1aa964f1090e49029f2ee664382e75e4
openssl req -newkey rsa:4096 -nodes -out server.csr -keyout server.key -subj "/C=XX/ST=XX/L=XX/O=company/OU=company-unit/CN=<server-IP>";
openssl x509 -sha256 -req -extfile <(printf "subjectAltName=IP:<server-IP>") -days 365 -in server.csr -CA ca.pem -passin pass:password -CAkey ca_private.pem -CAcreateserial -out server-signed.crt;
cat server-signed.crt server.key > server.pem;
Rest of the steps related to creation of the CA certificates and the client keys are same.
@barrypicker's answer worked to solve the mongodump and mongorestore issue, but the connection to the mongo shell was failing then.