douyu53265 2018-07-23 23:45
浏览 503
已采纳

MongoDB通过SSL连接:我做错了什么?

Overview: I have an application server running PHP 7, connecting to a separate database server running MongoDB 3.6.x using the MongoDB PHP userland library. I have firewall rules preventing access to the MongoDB server from all sources except the local and private interfaces (i.e. disallowing public IP access).

Connections via PHP look something like this:

$context_information = array(
    "ssl" => array(
        "allow_self_signed" => false,
        "verify_peer"       => true,
        "verify_peer_name"  => true,
        "verify_expiry"     => true,
        "cafile"            => "/path/to/ca_bundle"
));

$context = stream_context_create($context_information);
$connection = new MongoDB\Client(
    $host,
    array('ssl'=>true),
    array('context'=> $context)
);

My MongoDB configuration looks something like this:

net:
  port: 27017
  bindIp: 127.0.0.1,10.138.196.241
  ssl:
    mode: requireSSL
    PEMKeyFile: /path/to/my_ca_signed_cert
    CAFile: /path/to/my_ca_bundle

my_ca_signed_cert is a .pem file generated using my openssl-generated RSA private key, as well as the CA-provided .crt file, in the manner described in the MongoDB manual, e.g. cat mongodb.key mongodb.crt > mongodb.pem. my_ca_bundle is the .ca-bundle provided to me by the CA.

Additionally, the ca_bundle described in the PHP context is the same .ca-bundle file as in the MongoDB config.

Problem: I continue to receive the following error:

[23-Jul-2018 16:33:33 America/Los_Angeles] PHP Fatal error: Uncaught MongoDB\Driver\Exception\ConnectionTimeoutException: No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster on. . .

This issue persists even if I comment out the CAFile line for the MongoDB config. Also of note is that I can connect successfully when setting allow_self_signed to true if CAFile is commented out, but not when it's left uncommented.

Finally, when attempting to connect via the MongoDB shell, I get the following error:

2018-07-23T23:37:02.992+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get issuer certificate

2018-07-23T23:37:02.992+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get issuer certificate :

connect@src/mongo/shell/mongo.js:251:13

@(connect):1:6

exception: connect failed

Expected Behavior: I don't want to use client certificate authentication for connecting to the database. All I want at present is for traffic to be encrypted. This means being able to connect to the database without allowing self-signed certificates.

Notes:

  1. I have a cert set up successfully on the application server for HTTPS connectivity. Additionally, when testing the cert referenced in this question itself, I've successfully run verification on the files using openssl verify -CAfile /path/to/my_ca_bundle /path/to/my_ca_signed_cert.

  2. Everything in my application code works when SSL is disabled or when enabled while allowing self-signed certs.

The documentation on all of this is incredibly vague on a number of points, so I'm not sure where my configuration is going wrong. What should I be looking into to resolve this problem?

  • 写回答

2条回答 默认 最新

  • dongqiong8021 2018-08-02 20:13
    关注

    I decided to take another crack at this problem and finally found a solution.

    First, I needed to move my /path/to/my_ca_bundle to /usr/share/ca-certificates/my_project/my_ca_bundle.

    Second, I needed to update /etc/ca-certificates.conf with the line my_project/my_ca_bundle.

    Third, I needed to run sudo update-ca-certificates.

    Finally, I needed to remove the ssl.cafile option from my PHP stream context (I can't seem to get it to work with this line in place).

    The CAFile option in /etc/mongod.conf is unnecessary as well, and is problematic unless it uses the allowConnectionsWithoutCertificates: true line noted in the other answer.

    That was a mess, but everything works now!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题