Sep 2024
1 / 1
Sep 2024
Sep 2024
Yaniv_Dadon
Sep 2024

Issue: Unable to Connect to MongoDB with TLS and Authentication

MongoDB Setup:

I’m running MongoDB on a Docker container, and I’ve enabled TLS/SSL and role-based access control (RBAC) with internal authentication. Here’s an outline of my setup:

MongoDB Version: 6.x (Running in Docker)

mongod.conf Configuration:

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongo.pem   # Combined certificate and private key
    CAFile: /etc/ssl/ca.pem                  # Certificate Authority file
    allowConnectionsWithoutCertificates: false

security:
  authorization: "enabled"                   # Enabling Role-Based Access Control (RBAC)
  keyFile: /etc/rs_keyfile                   # Path to key file for replica set authentication

systemLog:
  destination: file
  path: /var/log/mongodb/mongod.log
  logAppend: true
  verbosity: 2

Certificates:

  • mongo.pem: Contains the server certificate and private key.
  • ca.pem: Contains the CA certificate that signed mongo.pem.

Docker Compose:

MongoDB is running in a Docker container, and I have generated the required PEM files using openssl.

How I Start MongoDB:

I start MongoDB with the above configuration using Docker. Everything seems to start correctly, but when I try to connect to MongoDB using mongosh with TLS, I encounter connection issues.

Error When Connecting:

I attempt to connect using the following command:

mongosh --tls --tlsCAFile /etc/ssl/ca.pem --tlsCertificateKeyFile /etc/ssl/mongo.pem --host 127.0.0.1 --port 27017

However, I get the following error:
MongoServerSelectionError: connection to 127.0.0.1:27017 closed

When using --tlsAllowInvalidHostnames, I still can’t establish a successful connection.

Additional Information:

  1. I confirmed the certificates using openssl verify and openssl s_client, and they seem valid.
  2. Error in Log Files: I noticed the following errors in the MongoDB logs:
  • User assertion "NotYetInitialized: no replset config has been received"
  • Unable to retrieve storageStats in $collStats stage :: caused by :: Collection [local.oplog.rs] not found

Questions:

  1. Certificate Setup: Is there any issue with how I’ve generated or configured the certificates for MongoDB?
  2. Hostname Issue: How can I properly resolve the “hostname mismatch” issue for local connections when using TLS?
  3. Replica Set Configuration: Even though I haven’t enabled replication, I still see replica set errors. Could this be related to the issue?

Thanks in advance for any help!


Want to read more? Browse other topics in Replication or view latest topics.