Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add two tsl/ssl certificate-related options and adapted lib/db.js #574

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add two tsl/ssl certificate-related options and adapted lib/db.js #574

wants to merge 1 commit into from

Conversation

jotelha
Copy link

@jotelha jotelha commented May 14, 2020
edited by dozoisch

This change is Reviewable

This is rather a note or question than a true pull request. I don't understand much about encryption and nodejs, but I could not get the current mongo-express docker container (0.54) to connect to the latest official mongo container (4.2.6) with a SSL/TSL setup

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /run/secrets/tls_key_and_cert.pem
    CAFile: /run/secrets/tls_CA.pem

and self-signed certificates for testing purposes generated according to https://medium.com/@rajanmaharjan/secure-your-mongodb-connections-ssl-tls-92e2addb3c89 with

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl genrsa -out mongodb.key 2048
openssl req -new -key mongodb.key -out mongodb.csr
openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
cat mongodb.key mongodb.crt > mongodb.pem

without the code modifications demonstrated here. Otherwise, no SSL connection the the db server is established, probably due to some data type incompatibilities of passing strings and objects to mongodb.MongoClient within lib/db.js where boolean values and Buffers are expected (?).

Now, I have this setup working with this docker-compose.yml content:

version: '3.8'

services:
  mongodb:
    image: local_mongo
    restart: always
    build:
        context: ./compose/local/mongodb
        dockerfile: Dockerfile
    container_name: mongodb
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    privileged: True
    expose:
      - 21017
    environment:
      MONGO_INITDB_ROOT_USERNAME_FILE: /run/secrets/mongo_root_username
      MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongo_root_password
    secrets:
      - smbcredentials
      - mongo_root_username
      - mongo_root_password
      - tls_key_and_cert.pem
      - tls_CA.pem
    command: --config /etc/mongod.conf

  mongo-express:
    image: mongo-express:latest
    restart: always
    ports:
      - 8081:8081
    depends_on:
      - mongodb
    environment:
      ME_CONFIG_MONGODB_SERVER: mongodb
      ME_CONFIG_MONGODB_SSL: "true"
      ME_CONFIG_MONGODB_SSLVALIDATE: "false"
      ME_CONFIG_MONGODB_SSL_CERT_FILE: /run/secrets/tls_cert.pem
      ME_CONFIG_MONGODB_SSL_KEY_FILE: /run/secrets/tls_key.pem
      ME_CONFIG_SITE_SSL_ENABLED: "true"
      ME_CONFIG_SITE_SSL_KEY_PATH: /run/secrets/tls_key.pem
      ME_CONFIG_SITE_SSL_CRT_PATH: /run/secrets/tls_cert.pem
      ME_CONFIG_MONGODB_ADMINUSERNAME_FILE: /run/secrets/mongo_root_username
      ME_CONFIG_MONGODB_ADMINPASSWORD_FILE: /run/secrets/mongo_root_password
    secrets:
      - mongo_root_username
      - mongo_root_password
      - tls_key.pem
      - tls_cert.pem

secrets:
  smbcredentials: 
    file: ./secrets/smbcredentials
  mongo_root_username: 
    file: ./secrets/mongo_root_username
  mongo_root_password: 
    file: ./secrets/mongo_root_password  
  tls_key.pem:
    file: ./keys/mongodb.key
  tls_cert.pem:
    file: ./keys/mongodb.crt
  tls_key_and_cert.pem: 
    file: ./keys/mongodb.pem
  tls_CA.pem: 
    file: ./keys/rootCA.pem

(note: the local_mongo image is just a thin modification to the official mongo image that mounts an smb share, nothing to do with the issue discussed here)

Where would those described type incompatibilities arise? Did I do something wrong, and would there be any better practice that avoids my modifications?

References:
https://stackoverflow.com/questions/24381561/connecting-to-mongodb-over-ssl-with-node-js
https://stackoverflow.com/questions/28106940/mongodb-and-nodejs-ssl-secure-connection

@Fabio-cyber751
Copy link

Before seeing this pull request, I asked this question on Stack Overflow. I guess this request would solve my question.

@shakaran
Copy link
Collaborator

@jotelha could you rebase and resolve the conflicts for this pull request so we can merge it? Thanks

@BlackthornYugen
Copy link
Member

Double check that these options are still correct. The latest mongodb driver no longer wants an array of certificates but a single PEM file. See related change: #815

@shakaran shakaran added this to the Mongo Express 1.1 milestone Sep 9, 2022
@rtritto rtritto mentioned this pull request Feb 23, 2023
Open
@rtritto rtritto changed the title Added two tsl/ssl certificate-related options and adapted lib/db.js feat: add two tsl/ssl certificate-related options and adapted lib/db.js Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature needs_testing pending resolve conflicts
Projects
None yet
Milestone
1.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jotelha @Fabio-cyber751 @shakaran @BlackthornYugen