1.问题
目前我生成了X509证书:
ca-cert.pem: CA 证书, 用于生成服务器端/客户端的数字证书.
ca.pem: CA 私钥, 用于生成服务器端/客户端的数字证书.
server-key.pem: 服务器端的 RSA 私钥
server-req.pem: 服务器端的证书请求文件, 用于生成服务器端的数字证书.
server-cert.pem: 服务器端的数字证书.
client-key.pem: 客户端的 RSA 私钥
client-req.pem: 客户端的证书请求文件, 用于生成客户端的数字证书.
client-cert.pem: 客户端的数字证书.
生成语句:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 7200 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 7200 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 7200 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl req -newkey rsa:2048 -days 7200 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 7200 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
现在我想把证书加入到mongo.cnf中,但是无论如何加客户端都无法连上服务端
2.描述
我将cat server-key.pem server-cert.pem > server.pem
cat client-key.pem client-cert.pem > client.pem
mongodb.cnf的配置信息
net:
port: 27017
ssl:
mode: requireSSL
PEMKeyFile: /data/db/mongo_key/server.pem
PEMKeyPassword: wanbang123
CAFile: /data/db/mongo_key/client.pem
allowConnectionsWithoutCertificates: true
allowInvalidHostnames: true
allowInvalidCertificates: true
目前java端使用的证书为:
keytool -importcert -alias MySQLCACert -file ca.pem -keystore xxx.jks -storepass wanbang123
连接语句:
./bin/mongo --host 127.0.0.1:27018 --ssl --sslPEMKeyFile /data/db/mongo_key/client.pem --sslCAFile /data/db/mongo_key/server.pem --sslAllowInvalidHostnames
3.报错信息
2019-10-14T09:49:19.480+0800 E NETWORK [thread1] SSL peer certificate validation failed: unable to verify the first certificate
2019-10-14T09:49:19.480+0800 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to verify the first certificate :connect@src/mongo/shell/mongo.js:231:14
日志信息
2019-10-14T09:51:04.153+0800 I NETWORK [initandlisten] connection accepted from 172.17.0.1:38354 #1 (1 connection now open)
2019-10-14T09:51:04.172+0800 W NETWORK [conn1] SSL peer certificate validation failed: unable to verify the first certificate
2019-10-14T09:51:04.173+0800 I NETWORK [conn1] end connection 172.17.0.1:38354 (0 connections now open)