Connecting with X509

Michel_Bouchet · January 18, 2021, 6:14am

This is a question related to X509. I have set up a stand alone server using X509.
I can start the daemon with:

mongod --tlsMode requireTLS --tlsCertificateKeyFile server.pem --tlsCAFile ca.pem --auth --dbpath /mnt/mongoDB-One/DB_X509 --logpath /mnt/mongoDB-One/DB_X509/mongod.log --fork --bind_ip 127.0.0.1,192.168.1.2

I can also connect with:

mongo --tls --host localhost --tlsCertificateKeyFile client.pem --tlsCAFile ca.pem

But I cannot connect using:

mongo --tls --host 127.0.0.1 --tlsCertificateKeyFile client.pem --tlsCAFile ca.pem

mongo --tls --host 192.168.1.2 --tlsCertificateKeyFile client.pem --tlsCAFile ca.pem

Why is that? I may have to say that I made my own ca.pem, server.pem and client.pem certificate files.

Ramachandra_Tummala · January 18, 2021, 3:01pm

What is yur mongod version?
In older versions TLS/SSL does not support IP addresses

I think your --host param should match with either SAN or CN in your certificate

The mongo shell verifies that the hostname (specifiedin —host option or the connection string)matches the SAN (or, if SAN is not present, the CN) inthe certificate presented by the mongod ormongos. If SAN is present, mongodoes not match against the CN. If the hostname does not matchthe SAN (or CN), the mongo shell will fail toconnect.

Starting in MongoDB 4.2, when performing comparison of SAN, MongoDBsupports comparison of DNS names or IP addresses. In previous versions,MongoDB only supports comparisons of DNS names.

Michel_Bouchet · January 19, 2021, 1:53am

As the version I am using 4.4.2.

For what you write about the SAN, I have already read similar things on the net, but how do you correctly set this SAN? I have tried a few ways to do that, but at this point nothing was successful. The simplest would be a command line option, but another method would also be fine as long as it works.

I tried both command line options and changing the openssl config. But apparently I didn’t do it right.

Ramachandra_Tummala · January 19, 2021, 2:19am

Please check these.It may help
https://jira.mongodb.org/browse/SERVER-24533
https://jira.mongodb.org/browse/SERVER-36669
What does CN/SAN fields in your certificates show?
What error you get with IP?

Some workaround like use invalidhostname was discussed in above links

Michel_Bouchet · January 19, 2021, 2:43am

CN is OK, but SAN dooes not show at all.

Use --sslAllowInvalidHostnames is not really a good option, though I know it allows me to connect. I am not intending to use anything invalid.

I want to set my server to accept what is valid. So I presume I need to know how to correctly set SAN.

In the links you mention I can see these kind of lines in the certificates:

X509v3 extensions:
X509v3 Subject Alternative Name:

But I do not know how to make them appear in mine.

Sonali_Mamgain · January 19, 2021, 12:28pm

Hi @Michel_Bouchet,

I am assuming this exercise is not related to the lab in the course.

For a detailed discussion on this use case, I would recommend you to post in the community forums.

Kind Regards,
Sonali

Michel_Bouchet · January 20, 2021, 6:14am

This is true that it is not related to a given lab. But it is a direct application of what I learned (or should have learned) in this course. Thanks for the link anyway.