Good morning fellow community members,
I’ve been struggling with the TLS/SSL configuration of MongoDB for a few days now and I’m reaching out to see if you can help me resolve some doubts that have arisen.
Firstly, I’m currently using version 6.0.4 for testing purposes, but the final version I’ll be using is 4.4.13. The setup involves a Replica Set (RS) across multiple nodes.
It’s important to note that I’m not interested in authentication at the moment; all I’m trying to achieve is data encryption.
The certificate I have is a wildcard (*.lynx.com) certificate valid for machines within the same domain. Its “X509v3 extensions” include “TLS Web Server Authentication,” which is crucial for authentication, but not necessary at the moment.
The first configuration I’ve tried is as follows:
Version 6.0:
net:
port: 27017
bindIp: es1mongodb01.lynx.com
tls:
mode: allowTLS
certificateKeyFile: /etc/ssl/key_telf.pem
Version 4.4:
net:
port: 27017
bindIp: es1mongodb01.lynx.com
ssl:
mode: allowSSL
PEMKeyFile: /etc/ssl_telf/key_telf.pem
According to the documentation, nothing else should be necessary: Set Up mongod and mongos with TLS/SSL Certificate and Key. However, upon startup, I’m encountering the following error: “Error during global initialization: InvalidOption.”
Here comes my first question: What would be the correct configuration if I don’t want authentication and only want to encrypt data?
In subsequent tests, including the CAFile option, the service starts up. However, by adding this parameter, I understand that we are requesting authentication. Once this is activated, I encounter the following error: “SSL peer certificate validation failed: unsupported certificate purpose.”
I believe this error is related to the “X509v3 extensions” in my certificate.
Here comes my second question: With the key and certificate that I have, what configuration would you recommend to at least encrypt data within the cluster and from clients?
Thank you very much.