我正在尝试设置一个 docker 集群/副本集,并将 clusterAuthentication 设置为 TLS。 我们使用来自官方 docker-hub 的 mongodb:7(最新)docker 容器。
目前我们陷入了启动阶段(在经历了如何配置 openssl-selfsigned cert 和 csr 的痛苦学习过程之后)
启动第一个副本集节点会立即抛出两个错误:
{"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"D1", "c":"ASSERT", "id":23074, "ctx":"main","msg":"User assertion","attr":{"error":"BadValue: need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters","file":"src/mongo/util/net/ssl_options_server.cpp","line":228}}
{"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":2,"codeName":"BadValue","errmsg":"need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters"}}}
或多或少是相同的。 我不明白为什么会抛出这个错误。 tls-section 在 mongod.conf 中设置,我使用哪个值也并不重要。 (需要 TLS、允许 TLS 或首选 TLS)
我们使用这个配置:
文件 mongod.conf (yaml)
storage:
dbPath: /var/lib/mongodb
systemLog:
verbosity: 3
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
tls:
clusterAuthX509:
attributes: O=TestOrganisation, OU=TestDepartment, CN=MongoDbCluster
mode: requireTLS
allowInvalidCertificates: true
certificateKeyFile: /etc/certs/server.pem
CAFile: /etc/certs/server.crt
clusterFile: /etc/certs/server.pem
bindIp: 0.0.0.0,mongodb-cluster
port: 27017
processManagement:
timeZoneInfo: /usr/share/zoneinfo
replication:
replSetName: rs0
security:
authorization: enabled
clusterAuthMode: x509
我们使用以下命令成功生成了证书:
openssl genrsa -out server.key 4096
openssl req -x509 -new -nodes -sha256 -days 1825 -config ca_req.conf -newkey rsa:4096 -keyout serverROOTCA.key -out server.crt
openssl req -new -out server.csr -key server.key -config req_ext.conf -extensions v3_req
openssl x509 -req -in server.csr -CA server.crt -CAkey serverROOTKey.key -CAcreateserial -out server.crt -days 730 -sha256 -extfile req_ext.conf -extensions v3_req
我们将此文件用于 csr 和实际证书作为 req_ext.conf,rootCA 的 req_conf 看起来不同。
[CA_default]
copy_extensions = copy
[req]
distinguished_name = client_ca
req_extensions = v3_req
prompt = no
[alt_names]
DNS.1 = mongodb-cluster
DNS.2 = replace_me_1
DNS.3 = replace_me_2
[client_ca]
C = SC
ST = SC
L = SampleCity
O = TestOrganisation
OU = TestDepartment
CN = MongoDbCluster
[v3_req]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth
server.pem 还包含密钥和证书以及相应的前缀 BEGIN/END 密钥或证书。 “replace_me”值是其他服务器的实际替代 dns 名称。 每个服务器都有自己的 docker 网络,并稍后在同一端口上公开 mongodb 实例
对于 docker,我们依赖运行脚本并传递一些环境值和文件:
docker run -d --restart always --name mongodb-cluster \
--network traefik \
-e MONGO_INITDB_ROOT_USERNAME=someuser \
-e MONGO_INITDB_ROOT_PASSWORD=somepassword \
-v $PWD/data:/var/lib/mongodb \
-v $PWD/log/mongod.log:/var/log/mongodb/mongod.log \
-v $PWD/conf/mongod.conf:/etc/mongod.conf \
-v $PWD/certs/server.crt:/etc/certs/server.crt \
-v $PWD/certs/server.pem:/etc/certs/server.pem \
-p SOMEPORT:27017 \
mongo:7 mongod -f /etc/mongod.conf
我们按照此文档使用受 tls 保护的 x509 实例: https://www.mongodb.com/docs/manual/tutorial/configure-ssl/
我们还尝试指定 --tls 或 --tlsMode requireTLS 作为 docker-run 命令的启动参数,但这也会导致相同的错误。
此配置不起作用可能是什么问题?
编辑: 另外,运行命令时 root_ca 的用途:
openssl x509 -in server.crt -noout -text -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
Netscape SSL server : Yes
Netscape SSL server CA : Yes (WARNING code=3)
S/MIME signing : Yes
S/MIME signing CA : Yes (WARNING code=3)
S/MIME encryption : Yes
S/MIME encryption CA : Yes (WARNING code=3)
CRL signing : Yes
CRL signing CA : Yes (WARNING code=3)
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes (WARNING code=3)
Time Stamp signing : No
Time Stamp signing CA : Yes (WARNING code=3)
编辑2: 命令
openssl -in server.pem -noout -ext keyUsage,extendedKeyUsage,basicConstraints
输出结果:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
对于根 ca 我得到这个输出
openssl x509 -in server.crt -noout -ext keyUsage,extendedKeyUsage,basicConstraints
No extensions in certificate
另外以下 ca_req.conf 用于 root-ca:
[req]
distinguished_name = RootCa
req_extensions = v3_req
prompt = no
[RootCa]
C = DE
ST = SC
L = SampleCity
O = TestOrganisation
OU = TestDepartment
CN = RootCa
[v3_req]
basicConstraints = CA:true, pathlen:0
keyUsage = keyCertSign
extendedKeyUsage = serverAuth
CA 输出应与此类似:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
我像这样创建了我的证书:
CA 证书配置文件
ca.conf[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = CH
O = Company
OU = OSS
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
证书配置文件
mongo.conf[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
O = Company
OU = OSS
CN = MongoDB
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
然后使用这些命令:
# Create private key for CA:
openssl genrsa -out ca.key 4096
# Create CA certificate:
openssl req -x509 -new -noenc -extensions v3_ca -config ca.conf -key ca.key -days 7305 -sha256 -out ca.cer
# Create certificate request with explicit private key:
openssl genrsa -out mongo.key 2048
openssl req -new -noenc -key mongo.key -config mongo.conf -out mongo.csr
# Alternative: Create certificate request with automatically generated private key
openssl req -new -noenc -newkey rsa:2048 -keyout mongo.key -config mongo.conf -out mongo.csr
# Create certificate, i.e. sign the certificate request
openssl x509 -req -in mongo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -days 365 -sha512 -copy_extensions copyall -out mongo.cer
输出:
openssl x509 -in ca.cer -noout -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints -purpose
subject=C = CH, O = Company, OU = OSS, CN = Root CA
issuer=C = CH, O = Company, OU = OSS, CN = Root CA
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
openssl x509 -in mongo.cer -noout -purpose -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints,subjectAltName -purpose
subject=C = CH, O = Company, OU = OSS, CN = MongoDB
issuer=C = CH, O = Company, OU = OSS, CN = Root CA
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:localhost
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
一旦您设法使其正常工作,我建议将客户端和服务器证书分开。这意味着
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
拆分为
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
和
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
# On client certificates, subjectAltName (SAN) is not used
使用
openssl-caopenssl-ca请注意,前段时间我发现了 X 证书和密钥管理(或 https://hohnstaedt.de/xca/index.php/download) - 比命令行中的
openssl