1. 首頁
  2. 問答
  3. Mongo Gandi SSL證書不可信

Mongo Gandi SSL證書不可信

2015-10-16 88 views
1

我在使用SSL模式的MongoDB上遇到問題。 當我嘗試連接我的數據庫時,出現此錯誤。Mongo Gandi SSL證書不可信

mongo --ssl --sslCAFile /etc/ssl/certs/GandiStandardSSLCA2.pem --host plip.plop.com 

MongoDB shell version: 3.0.6 
connecting to: plip.plop.com:27017/test 
2015-10-16T10:24:23.122+0000 E NETWORK SSL peer certificate validation failed:certificate not trusted 
2015-10-16T10:24:23.126+0000 E QUERY Error: socket exception [CONNECT_ERROR] for 
at connect (src/mongo/shell/mongo.js:181:14) 
at (connect):1:6 at src/mongo/shell/mongo.js:181

我的服務器響應:

2015-10-16T10:26:53.034+0000 I NETWORK [initandlisten] connection accepted from 172.17.0.227:48786 #1 (1 connection now open) 
2015-10-16T10:26:53.046+0000 W NETWORK [conn1] no SSL certificate provided by peer 
2015-10-16T10:26:53.046+0000 I NETWORK [conn1] end connection 172.17.0.227:48786 (0 connections now open)

(在可以連接到我的數據庫中,如果我使用標誌--sslAllowInvalidCertificates)所以現在

,我該怎麼辦:

我已添加此證書的SSL證書:

cp wildcart.plop.com.crt /etc/ssl/certs/wildcart.plop.com.crt 
cp wildcart.plop.com.key /etc/ssl/private/wildcart.plop.com.key 
cp GandiStandardSSLCA2.pem /usr/local/share/ca-certificates/gandi.net /GandiStandardSSLCA2.crt # come from https://wiki.gandi.net/en/ssl/intermediate 
cat /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt > /etc/ssl/certs/mongodb.pem 
rm /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt 
update-ca-certificates 
c_rehash

和我的MongoDB是開始與這條線mongod --replSet plop --config /etc/mongodb/mongod

/etc/mongodb/mongod內容:

net: 
    ssl: 
     mode: requireSSL 
     PEMKeyFile: /etc/ssl/certs/mongodb.pem 
     CAFile: /etc/ssl/certs/GandiStandardSSLCA2.pem 
     allowConnectionsWithoutCertificates: true

所以你能幫助我在這個問題?我不明白爲什麼我的證書不可信。 你有什麼想法嗎?

在此先感謝您的幫助。

PS:對不起,我的英語,我不是英語流利完全:d

來源

2015-10-16 David

+0

http://dba.stackexchange.com/questions/80859/issues-with-self-signed-certificates-ssl-and-mongodb – Vaulstein

+0

這是不完全一樣的情況下。我不想用證書來驗證客戶端。目前,我沒有爲客戶使用任何密碼或密鑰。我只想通過ssl連接到mongo。 – David

回答

0

MongoDB中不使用系統的全局信任存儲。

sslCAFile必須包含驗證鏈的所有中間證書。

在我的情況的證書鏈是這樣的:

Certificate chain 
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.plop.com 
    i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 
    i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

因此,你需要用AddTrust外部CA根證書的中介向Concat的甘地中介證書。

cat /etc/ssl/certs/GandiStandardSSLCA2.pem /ets/ssl/certs/AddTrust_External_Root.pem > /ets/ssl/certs/GandiStandardSSLCA2_full.pem 

mongo --ssl --sslCAFile /ets/ssl/certs/GandiStandardSSLCA2_full.pem --host plip.plop.com

享受

來源

2015-10-22 09:12:24 David

+1

爲什麼不使用全球信任存儲? – Petah

相關問題

 相關問題