ยง2023-08-02
[alexlai@orpi5Arch x.509]$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem --tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt mongodb://orgpi5arch.yushei.net:27999
Current Mongosh Log ID: 64c9fb90c803f5b8f64b79d5
Connecting to: mongodb://orgpi5arch.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T14:36:58.133+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T14:36:59.034+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------
test> use admin
switched to db admin
admin> db.createUser( {
... user: "siteRootAdmin",
... pwd: "b23258585",
... roles: [ { role: "root", db: "admin" } ]
... });
MongoServerError: not primary
admin> rs.status()
MongoServerError: no replset config has been received
admin> rs.conf()
MongoServerError: no replset config has been received
admin> rs.initiate( {
... _id : "MuneTakaHome",
... members: [
... { _id: 0, host: "orgpi5arch.yushei.net:27999" }
... ]
... })
{ ok: 1 }
MuneTakaHome [direct: other] admin> db.createUser.createUser( {
... user: "siteRootAdmin",
... pwd: "b23258585",
... roles: [ { role: "root", db: "admin" } ]
... });
TypeError: db.createUser.createUser is not a function
MuneTakaHome [direct: primary] admin> db.createUser.createUser( {
... user: "siteRootAdmin",
... pwd: "b23258585",
... roles: [ { role: "root", db: "admin" } ]
... });
TypeError: db.createUser.createUser is not a function
MuneTakaHome [direct: primary] admin> rs.initiate({ _id: "MuneTakaHome", members: [ { _id: 0, host: "orgpi5arch.yushei.net:27999" }] })
MuneTakaHome [direct: primary] admin> db.createUser( {
... user: "siteRootAdmin",
... pwd: "b23258585",
... roles: [ { role: "root", db: "admin" } ]
... });
{
ok: 1,
'$clusterTime': {
clusterTime: Timestamp({ t: 1690959468, i: 4 }),
signature: {
hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
keyId: Long("0")
}
},
operationTime: Timestamp({ t: 1690959468, i: 4 })
}
rs.add( { host: "hc4MnMin.yushei.net:27999" } )
MuneTakaHome [direct: primary] admin> rs.conf()
{
_id: 'MuneTakaHome',
version: 2,
term: 1,
members: [
{
_id: 0,
host: 'orgpi5arch.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
},
{
_id: 1,
host: 'hc4MnMin.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
}
],
protocolVersion: Long("1"),
writeConcernMajorityJournalDefault: true,
settings: {
chainingAllowed: true,
heartbeatIntervalMillis: 2000,
heartbeatTimeoutSecs: 10,
electionTimeoutMillis: 10000,
catchUpTimeoutMillis: -1,
catchUpTakeoverDelayMillis: 30000,
getLastErrorModes: {},
getLastErrorDefaults: { w: 1, wtimeout: 0 },
replicaSetId: ObjectId("64c9fe0741b0252f589c2413")
}
}
rs.add( { host: "hc4Jammy.yushei.net:27999" } )
MuneTakaHome [direct: primary] admin> rs.add( { host: "hc4Jammy.yushei.net:27999" } )
{
ok: 1,
'$clusterTime': {
clusterTime: Timestamp({ t: 1690965188, i: 1 }),
signature: {
hash: Binary(Buffer.from("0000000000000000000000000000000000000000", "hex"), 0),
keyId: Long("0")
}
},
operationTime: Timestamp({ t: 1690965188, i: 1 })
}
MuneTakaHome [direct: primary] admin> rs.conf()
{
_id: 'MuneTakaHome',
version: 3,
term: 1,
members: [
{
_id: 0,
host: 'orgpi5arch.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
},
{
_id: 1,
host: 'hc4MnMin.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
},
{
_id: 2,
host: 'hc4Jammy.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
}
],
protocolVersion: Long("1"),
writeConcernMajorityJournalDefault: true,
settings: {
chainingAllowed: true,
heartbeatIntervalMillis: 2000,
heartbeatTimeoutSecs: 10,
electionTimeoutMillis: 10000,
catchUpTimeoutMillis: -1,
catchUpTakeoverDelayMillis: 30000,
getLastErrorModes: {},
getLastErrorDefaults: { w: 1, wtimeout: 0 },
replicaSetId: ObjectId("64c9fe0741b0252f589c2413")
}
}
MuneTakaHome [direct: primary] admin>
mongodb://username@hostname:port/?ssl=true&ssl_cert_reqs=required&ssl_ca_certs=/path/to/ca.crt&ssl_certfile=/path/to/client.crt&ssl_keyfile=/path/to/client.key
mongodb://hc4Jammy.yushei.net:27999/?ssl=true&ssl_cert_reqs=required&ssl_ca_certs=/opt/xfs/mongodb/x.509/mongoCA.crt&ssl_certfile=/path/to/client.crt&ssl_keyfile=/path/to/client.key
"mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome&tls=true"
I have rs.conf() and I self signed all the x.509 certificate
MuneTakaHome [direct: primary] admin> rs.conf()
{
_id: 'MuneTakaHome',
version: 4,
term: 1,
members: [
{
_id: 0,
host: 'orgpi5arch.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
},
{
_id: 1,
host: 'hc4MnMin.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
},
{
_id: 2,
host: 'hc4Jammy.yushei.net:27999',
arbiterOnly: false,
buildIndexes: true,
hidden: false,
priority: 1,
tags: {},
secondaryDelaySecs: Long("0"),
votes: 1
}
],
protocolVersion: Long("1"),
writeConcernMajorityJournalDefault: true,
settings: {
chainingAllowed: true,
heartbeatIntervalMillis: 2000,
heartbeatTimeoutSecs: 10,
electionTimeoutMillis: 10000,
catchUpTimeoutMillis: -1,
catchUpTakeoverDelayMillis: 30000,
getLastErrorModes: {},
getLastErrorDefaults: { w: 1, wtimeout: 0 },
replicaSetId: ObjectId("64c9fe0741b0252f589c2413")
}
}
and mongod is running with TLS turn on as
net:
port: 27999
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
tls:
mode: requireTLS
certificateKeyFile: /opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem
CAFile: /opt/xfs/mongodb/x.509/mongoCA.crt
[alexlai@hc4MnMin src]$ mongosh "mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome&tls=true"
Current Mongosh Log ID: 64ca19ace4736b474852b689
Connecting to: mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome&tls=true&appName=mongosh+1.10.1
MongoServerSelectionError: self signed certificate in certificate chain
alexlai@hc4Jammy:~/x.509$ mongosh --host hc4Jammy.yushei.net --port 27999 --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem --tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt Current Mongosh Log ID: 64ca1ef0a726b8777d7cbaf8 Connecting to: mongodb://hc4Jammy.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4jammy.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1 Using MongoDB: 7.0.0-rc8 Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
The server generated these startup warnings when booting 2023-08-02T16:32:24.051+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting 2023-08-02T16:32:25.434+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
Hello MuneTakaHome [direct: secondary] test>
mongodb://hc4Jammy.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt
alexlai@hc4Jammy:~/x.509$ mongosh "mongodb://hc4Jammy.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt" Current Mongosh Log ID: 64ca200c343aa8d6f9721c35 Connecting to: mongodb://hc4Jammy.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4jammy.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&directConnection=true&appName=mongosh+1.10.1 Using MongoDB: 7.0.0-rc8 Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
The server generated these startup warnings when booting 2023-08-02T16:32:24.051+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting 2023-08-02T16:32:25.434+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
Hello MuneTakaHome [direct: secondary] test>
```bash
alexlai@hc4Jammy:~/x.509$ mongosh "mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64ca21d4d6c301d090f55a00
Connecting to: mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4jammy.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T14:36:58.133+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T14:36:59.034+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------
Hello
alexlai@hc4Jammy:/x.509$ mongosh "mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64ca226e48da66983a178541
Connecting to: mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome%3Ftls%3Dtrue&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4jammy.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
MongoServerSelectionError: connection /x.509$ mongosh "mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome&tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/hc4jammy.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64ca22b483d4298643377629 Connecting to: mongodb://orgPi5Arch.yushei.net:27999,hc4MnMin.yushei.net:27999,hc4Jammy.yushei.net:27999/?replicaSet=MuneTakaHome&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4jammy.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1 Using MongoDB: 7.0.0-rc8 Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
The server generated these startup warnings when booting 2023-08-02T14:36:58.133+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting 2023-08-02T14:36:59.034+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
Hello MuneTakaHome [primary] test>
MuneTakaHome [primary] test>