MongoDB SSL自签证书生成、应用和连接
程序员文章站
2022-06-06 22:59:06
...
环境版本
MongoDB server version: 4.0.11
生成SSL配置
1 服务器端证书配置
1.1 生成ca.pem
openssl req -out ca.pem -new -x509 -days 3650
# 此处会要求配置ca.pem密码,后续将会用到1.2生成server.pem
# 生成服务器端私钥
$ openssl genrsa -out server.key 2048
# 生成服务器端申请文件
$ openssl req -key server.key -new -out server.req
# 生成服务器端证书
$ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650
# 合并服务器端私钥和服务器端证书,生成server.pem
$ cat server.key server.crt > server.pem
# 校验服务器端pem文件
$ openssl verify -CAfile ca.pem server.pem
server.pem: OK
2 生成client.pem
# 生成客户端私钥
$ openssl genrsa -out client.key 2048
# 生成客户端申请文件
$ openssl req -key client.key -new -out client.req
# 生成客户端证书
$ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl -out client.crt -days 3650
# 合并客户端私钥和客户端证书,生成client.pem
$ cat client.key client.crt > client.pem
# 校验客户端pem文件
$ openssl verify -CAfile ca.pem client.pem
client.pem: OK
docker-compose启动mongo docker
1 mongodb.conf 配置
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
#storage:
# dbPath: /var/lib/mongodb
# journal:
# enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /data/configssl/server.pem
CAFile: /data/configssl/ca.pem
allowInvalidHostnames: true
allowInvalidCertificates: true
# how the process runs
#processManagement:
# timeZoneInfo: /usr/share/zoneinfo
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:2docker-compose.yaml文件配置
version: '2.1'
services:
mongo_ssl:
image: docker-reg.xxx.com/library/mongo:latest
container_name: mongo_ssl
ports:
- "27020:27017"
environment:
TZ: Asia/Shanghai
volumes:
- /opt/infrastructure/volumes/mongo_ssl/db:/data/db
- /opt/infrastructure/volumes/mongo_ssl/configssl:/data/configssl
entrypoint:
- bash
- -c
- /usr/bin/mongod --quiet --config /data/configssl/mongod.conf
restart: always
logging:
options:
max-size: "5M"
max-file: "10"
driver: json-file
3 启动mongo
docker-compose -f docker-compose-mongo-ssl.yaml up -d 4 客户端连接(robo3t)
注意:server和client的common name一致,但是不同于生成ca.pem的,且格式类似于xx.net 或者xx.com
以下是生成过程的日志,请参考
$ openssl req -out ca.pem -new -x509 -days 3650
Generating a 2048 bit RSA private key
.................+++
............................................................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb
Common Name (e.g. server FQDN or YOUR name) []:mrb.com
Email Address []:
$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
.........................................................................................................................................+++
e is 65537 (0x10001)
$ openssl req -key server.key -new -out server.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb
Common Name (e.g. server FQDN or YOUR name) []:mrb1.com
Email Address []:aaa@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:mrb
$
$ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650
Signature ok
subject=/C=CN/ST=JiangSu/L=SuZhou/O=mrb/OU=mrb/CN=mrb1/aaa@qq.com
Getting CA Private Key
Enter pass phrase for privkey.pem:
$ cat server.key server.crt > server.pem
$ openssl verify -CAfile ca.pem server.pem
server.pem: OK
$
$
$ openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
.........................................................+++
e is 65537 (0x10001)
$ openssl req -key client.key -new -out client.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb
Common Name (e.g. server FQDN or YOUR name) []:mrb1.com
Email Address []:aaa@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:mrb
$ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl -out client.crt -days 3650
Signature ok
subject=/C=CN/ST=JiangSu/L=SuZhou/O=mrb/OU=mrb/CN=mrb1/aaa@qq.com
Getting CA Private Key
Enter pass phrase for privkey.pem:
$ cat client.key client.crt > client.pem
$ openssl verify -CAfile ca.pem client.pem
client.pem: OK
上一篇: mongo常用命令