解析+ mongodb + SSL:“对等方未提供SSL证书" [英] Parse + mongodb + SSL: "no SSL certificate provided by peer"
问题描述
在关闭Parse的服务器之前迁移它的过程中,我试图在Digital Ocean上建立一个简单的MongoDB实例. (我之所以使用它而不是mLab,是因为我的需求非常有限-几MB的存储空间,每周几百个请求-而且,mLab的成本非常高.)
In the course of migrating off Parse's servers before it shuts down, I'm trying to set up a simple MongoDB instance on Digital Ocean. (I'm using that instead of mLab because my needs are very limited—-a few MB of storage, a few hundred requests per week--and for that mLab's costs are pretty high.)
由于本指南,我已经在运行mongod,并且在SSL方面取得了一些进展.使用让我们加密",但现在我陷入了困境. Parse的迁移工具说:没有可访问的服务器",如果我尝试像这样在命令行上进行连接:
I've got mongod running, and have made some progress with SSL thanks to this guide using Let's Encrypt, but now I'm stuck. Parse's migration tool says, "No reachable servers," and if I try to connect on the command line like this:
mongo --ssl -u editAdmin -p "<password-here>" --host mydb.myhost.com dbname
我收到此错误:
MongoDB shell version: 3.2.7
connecting to: mydb.myhost.com:27017/dbname
2016-07-24T10:31:38.814-0700 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mydb.myhost.com:27017' :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6
exception: connect failed
服务器日志报告:
2016-07-24T13:32:44.357-0400 I NETWORK [initandlisten] connection accepted from 12.345.67.89:33351 #39 (1 connection now open)
2016-07-24T13:32:44.390-0400 E NETWORK [conn39] no SSL certificate provided by peer; connection rejected
2016-07-24T13:32:44.390-0400 I NETWORK [conn39] end connection 12.345.67.89:33351 (0 connections now open)
因此,这表明客户端需要提供证书,但是(a)我不知道如何提供证书,并且(b)Parse不提供该证书作为一种选择,因此必须有某种方法不提供该证书
So that would suggest the client needs to provide a cert, but (a) I don't know how to provide one, and (b) Parse doesn't provide that as an option so there must be some way not to.
预先感谢您的帮助.
推荐答案
关键错误消息如下:
no SSL certificate provided by peer; connection rejected
当在MongoDB上启用TLS/SSL时,MongoDB客户端现在可以通过比较MongoDB的TLS/SSL证书(由mongod.conf文件中的PEMKeyFile属性指定)来验证MongoDB服务器是否声称自己是谁.您提供给MongoDB客户端以表明您信任哪个证书颁发机构的公共证书颁发机构证书.
When you enable TLS/SSL on MongoDB, MongoDB clients can now authenticate that the MongoDB server is who it claims to be by comparing the MongoDB's TLS/SSL certificate (specified by the PEMKeyFile property in the mongod.conf file) against the public Certificate Authority certificate that you provide to the MongoDB client to indicate which Certificate Authority you trust.
但是我刚才描述的有时称为单向 TLS,而默认情况下,MongoDB启用双向或相互TLS认证.其背后的想法是,也许MongoDB不想只接受任何人的客户端(公共网站可能会这样做),但也想对客户端进行身份验证.
But what I just described is sometimes called one-way TLS, whereas, by default, MongoDB enables two-way or mutual TLS authentication. The idea behind this is that maybe the MongoDB doesn't want to accept clients from just anyone (the way a public website might), but wants to authenticate the clients as well.
在TLS双向身份验证中,我上面提到的同一证书颁发机构将颁发客户端证书,而MongoDB服务器将检查客户端的证书,以确保该证书确实是由相关证书颁发机构颁发的,并且有效(例如,没有过期).
In TLS Mutual Auth, the same Certificate Authority I mentioned above will issue client certificates and the MongoDB server will check the client's certificate to make sure it really was issued by the Certificate Authority in question and that it's valid (e.g. hasn't expired).
所以这个错误是说:嘿,我希望我的客户出示TLS证书,但您什么也没出示."
So this error is saying "Hey, I expect my clients to present a TLS certificate, but you're not presenting anything."
为TLS/SSL配置mongod和mongos的方法对此进行了描述:
如果您想绕过不存在的客户端的验证 证书,包括
allowConnectionsWithoutCertificates运行时 mongod和mongos的选项.如果客户未提出 证书,不进行任何验证.这些连接,尽管不是 验证,仍使用SSL加密.
If you want to bypass validation for clients that don’t present certificates, include the
allowConnectionsWithoutCertificatesrun-time option with mongod and mongos. If the client does not present a certificate, no validation occurs. These connections, though not validated, are still encrypted using SSL.
当然,您也可以在mongod.conf文件中指定此名称: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
Of course, you can specify this in the mongod.conf file as well: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
我的首选解决方案如下:
My preferred solution looks like this:
net:
port: 27017
bindIp: 172.0.0.1 # Set this to whatever your private IP address is
ssl:
mode: "requireSSL"
PEMKeyFile: "/path/to/tls/private/key"
CAFile: "/path/to/ca/public/cert"
disabledProtocols: "TLS1_0,TLS1_1"
allowConnectionsWithoutCertificates: true # <-- The line to add to your config
这篇关于解析+ mongodb + SSL:“对等方未提供SSL证书"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
