I'm trying to create a secure SSL connection to MongoDB using PyMongo. The goal is to use this configuration for a Mongo instance running on EC2 to which I can connect with a Python client. For testing, I'm just trying to get the configuration working locally first. My as yet failing attempt can be found here.
Short version of what I think is the problem: My client side certificate authority file
ca.pem isn't correct. The way I have it, this file is actually identical to the one I'm using server side. Both were created using
openssl, and I suspect that my client side file needs some kind of different content, but I'm not sure exactly how to generate that content or if this suspicion is even correct.
Here are the details of what I've done for creating the necessary certificates and keys (on Mac El Capitan):
First, generate a certificate authority:
$ mkdir ~/ssl
$ cd ~/ssl
$ openssl req -out ca.pem -new -x509 -days 3650
# enter info
$ openssl genrsa -out server.key 2048
$ openssl req -key server.key -new -out server.req
# enter info
$ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.crt -days 3650
$ cat server.key server.crt > server.pem
Now do the same for the client:
$ openssl genrsa -out client.key 2048
$ openssl req -key client.key -new -out client.req
$ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.crt -days 3650
$ cat client.key client.crt > client.pem
Then I do the following configurations in
Now starting mongo (Mac) with
$ mongod --config /etc/mongod.conf
works as expected. The process runs and seems to be accepting the configurations.
Then on the Python side (also running on localhost for debugging), I do the following in calling mongo:
from pymongo import MongoClient
client = MongoClient(
# try a simple insert
When I run this, the Python code blocks after creating the
MongoClient, and I see in the
2016-03-03T22:11:30.331-0800 E NETWORK [conn21] SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
On the basis of Wan's comment below, I redid the whole thing, making sure that the information in the 'Distinguished Name' was consistent with those specifications. The old version definitely used the same Common Name for both server and client. The connection still isn't succeeding, but the messages are somewhat different:
2016-03-11T12:29:40.380-0800 I NETWORK [initandlisten] connection accepted from 127.0.0.1:57363 #3 (1 connection now open)
2016-03-11T12:29:40.386-0800 I NETWORK [conn3] end connection 127.0.0.1:57363 (0 connections now open)
These 2 messages just repeat until I stop the Python process, which blocks when attempting to open the connection. The
end connection part is now in the place where the
alert unknown ca line was previously in the mongo log.
Additional info for debugging:
$ openssl verify -CAfile ca.pem client.pem
$ openssl verify -CAfile ca.pem server.pem
$ openssl x509 -noout -subject -in server.pem
$ openssl x509 -noout -subject -in client.pem
The bottom line after getting the subject line properly formed is that mongo is accepting the connection, then ending it, and the Python process is blocking without ever making the intended insert.
Any help is much appreciated!
There are other ways of generating server/client pem with a Certificate Authority i.e. without involving
file.srl, but this answer is to follow up on the question.
Worth mentioning that most MongoDB v3.0+ distributions now include support for SSL, please be sure to choose a package that supports SSL. The example below is tested with MongoDB v3.2 on Ubuntu Linux 14.04 with PyMongo v3.2.1. Where a single machine generated the CA, server and client pem files for demonstration purposes.
privkey.pem. The subject structure is
/C=<Country Name>/ST=<State>/L=<Locality Name>/O=<Organisation Name>/emailAddress=<email>/CN=<Common Name>.
mkdir ~/ssl cd ~/ssl openssl req -out ca.pem -new -x509 -days 3650 -subj "/C=AU/ST=NSW/O=Organisation/CN=root/[email protected]"
server .pem file:
hostname # note down the value echo "00" > file.srl # two random digits number openssl genrsa -out server.key 2048 openssl req -key server.key -new -out server.req -subj "/C=AU/ST=NSW/O=Organisation/CN=server1/CN=<hostname value>/[email protected]" openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.crt -days 3650 cat server.key server.crt > server.pem openssl verify -CAfile ca.pem server.pem
Although you can use IP address as
CN value as well, it is not recommended. See RFC-6125.
Now let's generate
openssl genrsa -out client.key 2048 openssl req -key client.key -new -out client.req -subj "/C=AU/ST=NSW/O=Organisation/CN=client1/[email protected]" openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.crt -days 3650 cat client.key client.crt > client.pem openssl verify -CAfile ca.pem client.pem
After generating the
.pem files, now you can run mongod. for example:
mongod --sslMode requireSSL --sslPEMKeyFile ~/server.pem --sslCAFile ~/ca.pem
You can test the connection using the mongo shell, for example:
mongo --ssl --sslPEMKeyFile ~/client.pem --sslCAFile ~/ca.pem --host <server hostname>
Once you can get connected successfully, you can try with PyMongo. For example:
import ssl from pymongo import MongoClient client = MongoClient( '<server hostname>', 27017, ssl=True, ssl_certfile='~/client.pem', ssl_cert_reqs=ssl.CERT_REQUIRED, ssl_ca_certs='~/ca.pem' )
Alternatively, you can also use
mongod flag --sslAllowInvalidHostnames to specify
For production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. If you use a self-signed certificate, although the communications channel will be encrypted, there will be no validation of server identity. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity. In general, avoid using self-signed certificates unless the network is trusted.
Other related links that you may find useful: