According to Validate Only if a Client Presents a Certificate in mongodb docs, I run a mongodb container with following mongod.conf configuration file.
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/server.pem
CAFile: /etc/ssl/ca.pem
allowConnectionsWithoutCertificates: true
Here is the command that i used to run the mongodb
docker run -d \
--name mongodb \
-e MONGO_INITDB_ROOT_USERNAME=root \
-e MONGO_INITDB_ROOT_PASSWORD=rootpassword \
-v /path/to/the/mongod.conf:/etc/mongod.conf \
-v /path/to/the/server.pem:/etc/ssl/server.pem \
-v /path/to/the/ca.pem:/etc/ssl/ca.pem \
-v /path/to/the/client.pem:/etc/ssl/client.pem \
-p 27017:27017 \
mongo:4.4.26 --config /etc/mongod.conf
Then I tried to connect with the mongodb with MONGO_INITDB_ROOT username and password. But its showing error with following massage:
root@2b95c9e5d8a8:/# mongo admin -u root -p rootpassword
MongoDB shell version v4.4.26
connecting to: mongodb://127.0.0.1:27017/admin?compressors=disabled&gssapiServiceName=mongodb
Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1
From docker log:
{"t":{"$date":"2023-12-28T11:23:29.777+00:00"},"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn1","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"The server is configured to only allow SSL connections"},"remote":"127.0.0.1:39754","connectionId":1}}
So it needs tls based authentication. But according to mongodb docs
A mongod / mongos running with these settings allows connection from:
- Clients that do not present a certificate.
- Clients that present a valid certificate.
All connections, including those that have not presented certificates, are encrypted using TLS/SSL.
So as I set allowConnectionsWithoutCertificates to true, I should let me connect also encrypt with TLS. Is it working properly? Or I’m missing something?