根据“只有客户端在mongodb文档中提供证书”,我使用以下mongod.conf配置文件运行一个mongodb容器。
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/server.pem
CAFile: /etc/ssl/ca.pem
allowConnectionsWithoutCertificates: true字符串
下面是我用来运行mongodb的命令
docker run -d \
--name mongodb \
-e MONGO_INITDB_ROOT_USERNAME=root \
-e MONGO_INITDB_ROOT_PASSWORD=rootpassword \
-v /path/to/the/mongod.conf:/etc/mongod.conf \
-v /path/to/the/server.pem:/etc/ssl/server.pem \
-v /path/to/the/ca.pem:/etc/ssl/ca.pem \
-v /path/to/the/client.pem:/etc/ssl/client.pem \
-p 27017:27017 \
mongo:4.4.26 --config /etc/mongod.conf型
然后我尝试用MONGO_INITDB_ROOT用户名和密码连接mongodb。但它显示以下消息错误:
root@2b95c9e5d8a8:/# mongo admin -u root -p rootpassword
MongoDB shell version v4.4.26
connecting to: mongodb://127.0.0.1:27017/admin?compressors=disabled&gssapiServiceName=mongodb
Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1型
Docker log:
{"t":{"$date":"2023-12-28T11:23:29.777+00:00"},"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn1","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"The server is configured to only allow SSL connections"},"remote":"127.0.0.1:39754","connectionId":1}}型
所以它需要基于tls的身份验证。
A mongod / mongos running with these settings allows connection from:
- Clients that do not present a certificate.
- Clients that present a valid certificate.
All connections, including those that have not presented certificates, are encrypted using TLS/SSL.型
所以当我设置allowConnectionsWithoutCertificates为true,它应该让我连接也用TLS加密.但它不是.标志工作正常吗?或者我错过了什么?
1条答案
按热度按时间cyvaqqii1#
您在客户端遗失了CA凭证。请尝试
字符串
它也可能与
型
或
型
需要注意的是,顾名思义,
/path/to/the/client.pem是一个客户端证书,您在MongoDB服务器端不需要它。而
CAFile: /etc/ssl/ca.pem只有在您计划使用客户端证书连接时才需要--看起来并不是这样的。更多注意事项:
没有“基于tls的身份验证”。通常,证书(在MongoDB中使用)可以提供三个功能:
在共享群集和/或副本集中,证书还可用于对内部群集/副本集成员进行身份验证。从技术上讲,这与“对客户端进行身份验证”是相同的