§2023-008-02
- Generating the X.509 Certificates
- Generate a X.509 Certificate for hc4MnMin.yushei.net, 192.168.48.239
¶ Go ot orgpi5Arch.yushei.net
[alexlai@orpi5Arch ~]$ mkdir x.509 && cd $_
[alexlai@orpi5Arch x.509]$ pwd
/opt/xfs/home/alexlai/x.509
$ ./genCertificate.sh hc4MnMin.yushei.net
....
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
Enter pass phrase for mongoCA.key:
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh hc4Jammy.yushei.net.pem mongoCA.crt mongoCA.srl orgpi5Jammy.yushei.net.pem
h2Jammy.yushei.net.pem hc4MnMin.yushei.net.pem mongoCA.key orgpi5Arch.yushei.net.pem
¶Step 2. move keys into /opt/xfs/mongodb/x.509 directory
As a convention,
- /opt/xfs/mongodb/data/ will store database, i.e.
- /opt/xfs/mongodb/data/data-2799/ is the directory holding mongod instance on port 2799
- data-2799 has to be created first and owned by mongodb:mongodb
- /opt/xfs/mongodb/log/ is the directory holding all log files
- /opt/xfs/mongodb/log/mongod-27999.log is for mongod running on port 2799
sudo touch /opt/xfs/mongodb/log/mongod-27999.logand chown
- /opt/xfs/mongodb/x.509/
[alexlai@hc4MnMin ~]$ sudo mkdir /opt/xfs/mongodb/data/data-27999
[alexlai@hc4MnMin ~]$ sudo chown mongodb:mongodb /opt/xfs/mongodb/data/data-27999/
[alexlai@hc4MnMin ~]$ sudo ls -l /opt/xfs/mongodb/data/
total 0
drwxr-xr-x 2 mongodb mongodb 6 Aug 2 04:47 data-27999
[alexlai@hc4MnMin ~]$ sudo touch /opt/xfs/mongodb/log/mongod-27999.log
[alexlai@hc4MnMin ~]$ sudo chown mongodb:mongodb /opt/xfs/mongodb/log/mongod-27999.log
[alexlai@hc4MnMin ~]$ sudo ls -l /opt/xfs/mongodb/log/
total 0
-rw-r--r-- 1 mongodb mongodb 0 Aug 2 04:50 mongod-27999.log
$ sudo mkdir /opt/xfs/mongodb/x.509
$ sudo chown mongodb:mongodb /opt/xfs/mongodb/x.509/
$ ls -l /opt/xfs/mongodb/
total 0
drwxr-xr-x 2 mongodb mongodb 6 Aug 1 10:11 data
drwxr-xr-x 2 mongodb mongodb 6 Aug 1 10:11 log
drwxr-xr-x 2 mongodb mongodb 6 Aug 2 04:33 x.509
¶Step 3. get X.509 from orgPi5Arch.yushei.net
[alexlai@hc4MnMin ~]$ pwd
/home/alexlai
$ scp orgpi5Arch.yushei.net:/opt/xfs/home/alexlai/x.509/mongoCA.crt ./
$ scp orgpi5Arch.yushei.net:/opt/xfs/home/alexlai/x.509/hc4MnMin.yushei.net.pem ./
$ sudo mv mongoCA.crt /opt/xfs/mongodb/x.509/
$ sudo mv hc4MnMin.yushei.net.pem /opt/xfs/mongodb/x.509/
$ sudo chown mongodb:mongodb /opt/xfs/mongodb/x.509/*
$ ls -l /opt/xfs/mongodb/x.509/*
-rw-r--r-- 1 mongodb mongodb 6004 Aug 2 04:39 /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
-rw-r--r-- 1 mongodb mongodb 3601 Aug 2 04:38 /opt/xfs/mongodb/x.509/mongoCA.crt
¶Step 4. /etc/mongodb-27999.conf
# mongodb-27999.conf
# MuneTakaHome replicationSet
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /opt/xfs/mongodb/log/mongod-27999.log
# Where and how to store data.
storage:
dbPath: /opt/xfs/mongodb/data/data-27999/
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27999
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
ssl:
mode: preferSSL
PEMKeyFile: /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
CAFile: /opt/xfs/mongodb/x.509/mongoCA.crt
allowInvalidCertificates: false
allowInvalidHostnames: false
# clusterFile: /var/lib/mongodb/x.509/orgpi5Arch.yushei.net.pem
# PEMKeyPassword: TxxxxYxxLxx#1nnn
# clusterPassword: TxxxxYxxLxx#1nnn
# For new installation, security is turn off first
# security:
# authorization: enabled
# clusterAuthMode: x509
#operationProfiling:
replication:
replSetName: "MuneTakaHome"
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
¶Step 4, /etc/systemd/system/Mongodb-27999.service
[Unit]
Description=MongoDB Database Server, port 27999, MuneTakaHome
Documentation=https://docs.mongodb.org/manual
After=network-online.target
Wants=network-online.target
[Service]
TimeoutStartSec=infinity
User=mongodb
Group=mongodb
Environment="OPTIONS=-f /etc/mongodb-27999.conf"
Environment="MONGODB_CONFIG_OVERRIDE_NOFORK=1"
ExecStart=/usr/local/bin/mongod $OPTIONS
RuntimeDirectory=mongodb
# file size
LimitFSIZE=infinity
# cpu time
LimitCPU=infinity
# virtual memory size
LimitAS=infinity
# open files
LimitNOFILE=64000
# processes/threads
LimitNPROC=64000
# locked memory
LimitMEMLOCK=infinity
# total threads (user+kernel)
TasksMax=infinity
TasksAccounting=false
# Recommended limits for mongod as specified in
# https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
[Install]
WantedBy=multi-user.target
¶Step 5, test run
$ sudo systemctl daemon-reload
$ sudo systemctl start Mongodb-27999.sercice
$ sudo systemctl status Mongodb-27999.sercice
If not running
- `journalctl -xfu Mongodb-27999.service
sudo less /opt/xfs/mongodb/log/mongod-27999.log
$ sudo cat /opt/xfs/mongodb/log/mongod-27999.log
{"t":{"$date":"2023-08-02T05:00:28.233+08:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"main","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2023-08-02T05:00:28.236+08:00"},"s":"I", "c":"NETWORK", "id":4915701, "ctx":"main","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":21},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":21},"outgoing":{"minWireVersion":6,"maxWireVersion":21},"isInternalClient":true}}}
{"t":{"$date":"2023-08-02T05:00:28.241+08:00"},"s":"E", "c":"NETWORK", "id":23248, "ctx":"main","msg":"Cannot read certificate file","attr":{"keyFile":"/opt/xfs/mogodb/x.509/hc4MnMin.yushei.net.pem","error":"error:FFFFFFFF80000002:system library::No such file or directory"}}
{"t":{"$date":"2023-08-02T05:00:28.242+08:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}
[alexlai@hc4MnMin ~]$
[alexlai@hc4MnMin ~]$ mongosh mongodb://localhost:27999
¶Step5 using mongoSh to fine tune mongod
[alexlai@hc4MnMin ~]$ mongosh mongodb://localhost:27999
Current Mongosh Log ID: 64c99184be140a8aa7dd9a71
Connecting to: mongodb://localhost:27999/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T07:12:18.078+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T07:12:20.571+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T07:12:20.571+08:00: vm.max_map_count is too low
------
Ask chatGPT
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh mongoCA.crt mongoCA.srl mongoCA.key openssl.cnf
And openssl.cnf has
[alexlai@orpi5Arch x.509]$ diff openssl.cnf /etc/ssl/openssl.cnf
164c164
< req_extensions = v3_req # The extensions to add to a certificate request
---
> # req_extensions = v3_req # The extensions to add to a certificate request
232,242d231
<
< # subjectAltName = @alt_names
<
< [ alt_names ]
< DNS.1 = orgPi5Arch.yushei.net
< DNS.2 = orgPi5Jammy.yushei.net
< DNS.3 = hc4MnMin.yushei.net
< DNS.4 = n2Mnjaro.yushei.net
And genCertificate.sh
#!/bin/bash
if [ "$1" = "" ]; then
echo 'hostname is fully qualified name, i.e. orgPi5Arch.yushei.net'
echo 'Please enter your hostname (CN):'
exit 1
fi
HOST_NAME="$1"
SUBJECT="/C=Tw/ST=Taiwan/L=Taichung/O=yushei.net/OU=ComputerDepartment/CN=$HOST_NAME"
# Generate the CSR with the SAN extension
openssl req -new -nodes -newkey rsa:4096 -subj "$SUBJECT" -keyout "$HOST_NAME.key" -out "$HOST_NAME.csr" -config openssl.cnf
# Sign the certificate with the SAN extension
openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 395 -in "$HOST_NAME.csr" -out "$HOST_NAME.crt" -extensions v3_req -extfile openssl.cnf
# Concatenate the key and certificate into a PEM file
cat "$HOST_NAME.key" "$HOST_NAME.crt" > "$HOST_NAME.pem"
# Clean up temporary files
rm "$HOST_NAME.key" "$HOST_NAME.crt" "$HOST_NAME.csr"
And
[alexlai@orpi5Arch x.509]$ ./genCertificate.sh hc4MnMin.yushei.net
alexlai@orpi5Arch x.509]$ ls
genCertificate.sh h2Jammy.yushei.net.pem hc4MnMajaro.yushei.net.pem mongoCA.crt mongoCA.srl orgpi5Arch.yushei.net.pem
genCertificate.sh.ori hc4Jammy.yushei.net.pem hc4MnMin.yushei.net.pem mongoCA.key openssl.cnf orgpi5Jammy.yushei.net.pem
[ale
$ mongosh mongodb://localhost:27999
Current Mongosh Log ID: 64c9b2ef9f247a0e8c044a5c
Connecting to: mongodb://localhost:27999/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T09:27:00.875+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T09:27:03.390+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T09:27:03.391+08:00: vm.max_map_count is too low
------
test>
The mongoCA.key was generated by $ openssl genrsa -out mongoCA.key -aes256 8192. And mongoCA.crt eas generated by openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 395 -out mongoCA.crt.
How to solve Server certificate has no compatible Subject Alternative Name.
mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
--tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt
mongodb://localhost:27999
--authenticationDatabase '$external' \
--authenticationMechanism MONGODB-X509
My mongodb-27999.conf has
net:
port: 27999
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
tls:
mode: requireTLS
certificateKeyFile: /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
CAFile: /opt/xfs/mongodb/x.509/mongoCA.crt
mongd started OK, but
[alexlai@hc4MnMin x.509]$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem \
--tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt \
--authenticationDatabase '$external' \
--authenticationMechanism MONGODB-X509 \
mongodb://hc4MnMin.yushei.net:27999
Current Mongosh Log ID: 64c9bf6bd0f77fcecb9eee4e
Connecting to: mongodb://hc4MnMin.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4MnMin.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T10:19:15.676+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T10:19:18.144+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T10:19:18.144+08:00: vm.max_map_count is too low
------
test>
openssl x509 -text -noout -in hc4MnMin.yushei.net.crt
[alexlai@orpi5Arch x.509]$ openssl x509 -text -noout -in hc4MnMin.yushei.net.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
50:af:6d:e4:d7:38:46:72:0e:fe:c3:0c:b8:06:38:03:98:aa:00:9c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
Validity
Not Before: Aug 2 02:49:53 2023 GMT
Not After : Aug 31 02:49:53 2024 GMT
Subject: C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)