Parse + mongodb + SSL:“peer 没有提供 SSL 证书"; [英] Parse + mongodb + SSL: "no SSL certificate provided by peer"
问题描述
在关闭 Parse 的服务器之前迁移它的过程中,我试图在 Digital Ocean 上设置一个简单的 MongoDB 实例.(我使用它而不是 mLab 是因为我的需求非常有限——几 MB 的存储空间,每周几百个请求——而该 mLab 的成本非常高.)
In the course of migrating off Parse's servers before it shuts down, I'm trying to set up a simple MongoDB instance on Digital Ocean. (I'm using that instead of mLab because my needs are very limited—-a few MB of storage, a few hundred requests per week--and for that mLab's costs are pretty high.)
由于本指南,我已经运行了 mongod,并且在 SSL 方面取得了一些进展使用让我们加密,但现在我卡住了.Parse 的迁移工具说,没有可访问的服务器",如果我尝试像这样在命令行上连接:
I've got mongod running, and have made some progress with SSL thanks to this guide using Let's Encrypt, but now I'm stuck. Parse's migration tool says, "No reachable servers," and if I try to connect on the command line like this:
mongo --ssl -u editAdmin -p "<password-here>" --host mydb.myhost.com dbname
我收到此错误:
MongoDB shell version: 3.2.7
connecting to: mydb.myhost.com:27017/dbname
2016-07-24T10:31:38.814-0700 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mydb.myhost.com:27017' :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6
exception: connect failed
服务器日志报告:
2016-07-24T13:32:44.357-0400 I NETWORK [initandlisten] connection accepted from 12.345.67.89:33351 #39 (1 connection now open)
2016-07-24T13:32:44.390-0400 E NETWORK [conn39] no SSL certificate provided by peer; connection rejected
2016-07-24T13:32:44.390-0400 I NETWORK [conn39] end connection 12.345.67.89:33351 (0 connections now open)
所以这表明客户需要提供证书,但是 (a) 我不知道如何提供证书,并且 (b) Parse 没有提供该选项,因此必须有某种方法不.
So that would suggest the client needs to provide a cert, but (a) I don't know how to provide one, and (b) Parse doesn't provide that as an option so there must be some way not to.
预先感谢您的帮助.
推荐答案
关键的错误信息是这个:
The key error message is this one:
no SSL certificate provided by peer; connection rejected
当您在 MongoDB 上启用 TLS/SSL 时,MongoDB 客户端现在可以通过比较 MongoDB 的 TLS/SSL 证书(由mongod.conf 文件)针对您提供给 MongoDB 客户端的公共证书颁发机构证书,以指示您信任哪个证书颁发机构.
When you enable TLS/SSL on MongoDB, MongoDB clients can now authenticate that the MongoDB server is who it claims to be by comparing the MongoDB's TLS/SSL certificate (specified by the PEMKeyFile property in the mongod.conf file) against the public Certificate Authority certificate that you provide to the MongoDB client to indicate which Certificate Authority you trust.
但我刚刚描述的有时称为单向 TLS,而默认情况下,MongoDB 启用双向或双向 TLS 身份验证.这背后的想法是,也许 MongoDB 不想接受任何人的客户端(公共网站可能的方式),但也想对客户端进行身份验证.
But what I just described is sometimes called one-way TLS, whereas, by default, MongoDB enables two-way or mutual TLS authentication. The idea behind this is that maybe the MongoDB doesn't want to accept clients from just anyone (the way a public website might), but wants to authenticate the clients as well.
在 TLS Mutual Auth 中,我上面提到的同一个证书颁发机构将颁发客户端证书,MongoDB 服务器将检查客户端的证书以确保它确实是由相关证书颁发机构颁发的并且它是有效的(例如没有已过期).
In TLS Mutual Auth, the same Certificate Authority I mentioned above will issue client certificates and the MongoDB server will check the client's certificate to make sure it really was issued by the Certificate Authority in question and that it's valid (e.g. hasn't expired).
所以这个错误是说嘿,我希望我的客户提供 TLS 证书,但你没有提供任何东西."
So this error is saying "Hey, I expect my clients to present a TLS certificate, but you're not presenting anything."
修复方法在为TLS/SSL配置mongod和mongos:
如果您想绕过不存在的客户端的验证证书,包括 allowConnectionsWithoutCertificates 运行时mongod 和 mongos 选项.如果客户没有出示证书,不进行验证.这些连接,虽然不是验证,仍然使用 SSL 加密.
If you want to bypass validation for clients that don’t present certificates, include the
allowConnectionsWithoutCertificatesrun-time option with mongod and mongos. If the client does not present a certificate, no validation occurs. These connections, though not validated, are still encrypted using SSL.
当然,您也可以在 mongod.conf 文件中指定:https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
Of course, you can specify this in the mongod.conf file as well: https://docs.mongodb.com/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates
我的首选解决方案如下所示:
My preferred solution looks like this:
net:
port: 27017
bindIp: 172.0.0.1 # Set this to whatever your private IP address is
ssl:
mode: "requireSSL"
PEMKeyFile: "/path/to/tls/private/key"
CAFile: "/path/to/ca/public/cert"
disabledProtocols: "TLS1_0,TLS1_1"
allowConnectionsWithoutCertificates: true # <-- The line to add to your config
这篇关于Parse + mongodb + SSL:“peer 没有提供 SSL 证书";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
