8

How do I correctly configure MongoDB to use Letsencrypt SSL on Ubuntu?

I have created an SSL certificate using Letsencrypt and combined it via:

cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/ssl/mongo.pem

And setup mongo config like:

net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongo.pem

But I get this error when trying to start Mongo:

No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter

How do I correctly set the CAFile? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either.

Im using Mongo v3.0.12 and Ubuntu 14.04

Petah
  • 650
  • 2
  • 13
  • 24
  • 3
    I would first try doing what the error message suggests. – Michael Hampton Sep 28 '16 at 22:55
  • @MichaelHampton But where/what CA File am I supposed to use? Doesn't Ubuntu typically use a "CA Path" with a bunch of different root certs in their own files? I tried using the CURL CA bundle but that didn't work either. – Petah Sep 29 '16 at 00:19

2 Answers2

10

You combine the wrong pem files. You need to combine privkey.pem with cert.pem.

cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/ssl/mongo.pem

For the CAFile you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html

sudo touch /etc/ssl/ca.crt
sudo chmod 777 /etc/ssl/ca.crt

Add the certificate of the website, add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and make sure you end with a new line saving the file:

sudo vi /etc/ssl/ca.crt

Then convert the crt file to a pem using:

sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM

And combine with chain.pem from Let's Encrypt into a single file ca.pem

sudo cat /etc/letsencrypt/live/example.com/chain.pem >> /etc/ssl/ca.pem

To set the CAFile follow this mongo configuration setup:

net:  
  port: 27017
  bindIp: 0.0.0.0
  ssl:  
    mode: requireSSL  
    PEMKeyFile: /etc/ssl/mongo.pem
    CAFile: /etc/ssl/ca.pem

Restart MongoDB:

sudo systemctl restart mongod
sudo systemctl status mongod

Don't forget the moment when you renew the Let's Encrypt certificates, you need to renew also mongo.pem and ca.pem.

Herman Fransen
  • 201
  • 2
  • 4
  • 1
    Awesome answer! I can't thank you enough. Why did you use a CAFile from Identrust instead of Let's Encrypt (https://letsencrypt.org/certificates)? – Rodrigo Pinto Jan 10 '18 at 05:10
  • @RodrigoPedroso - Good question, don't know. – Herman Fransen Jan 12 '18 at 11:47
  • 1
    Because let's encrypt is quite new at that time, they are using Identrust to cross sign their certificates. You can download it directly from https://letsencrypt.org/certs/trustid-x3-root.pem.txt. Now Let's encrypt is widely trusted – devansvd Nov 05 '19 at 10:30
2

The CA file you need can be obtained from Letsencrypt, look for one of the intermediate certificates here:

https://letsencrypt.org/certificates/

Then, specify the path to that certificate with the SSL CAFile option.

Adam C
  • 5,132
  • 2
  • 28
  • 49