MongoDB 自签名 SSL 连接：SSL 对等证书验证失败

我已遵循本指南使用 PyMongo 的自签名 SSL 连接，作者：Wan Bachtiar https://stackoverflow.com/questions/35790287/self-signed-ssl-connection-using-pymongo#35967188创建三个 .pem 文件；服务器.pem、客户端.pem 和 ca.pem。

我使用的是 Ubuntu 16.04 和 MongoDB v3.2.11。

目的是在向公共互联网开放 MongoDB 之前确保其安全。

让我们启动 mongodb：

$ mongod --auth --port 27017 --dbpath /data/db1 
--sslMode requireSSL --sslPEMKeyFile /etc/ssl/server.pem 
--sslCAFile /etc/ssl/ca.pem --sslAllowInvalidHostnames &

Output:

root@tim:/etc/ssl# 2017-01-13T12:58:55.150+0000 I CONTROL  [initandlisten] MongoDB starting : pid=19058 port=27017 dbpath=/data/db1 64-bit host=tim
2017-01-13T12:58:55.150+0000 I CONTROL  [initandlisten] db version v3.2.11
2017-01-13T12:58:55.151+0000 I CONTROL  [initandlisten] git version: 009580ad490190ba33d1c6253ebd8d91808923e4
2017-01-13T12:58:55.151+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.2g  1 Mar 2016
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten] modules: none
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten] build environment:
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten]     distmod: ubuntu1604
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten]     distarch: x86_64
2017-01-13T12:58:55.152+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2017-01-13T12:58:55.153+0000 I CONTROL  [initandlisten] options: { net: { port: 27017, ssl: { CAFile: "/etc/ssl/ca.pem", PEMKeyFile: "/etc/ssl/server.pem", allowInvalidHostnames: true, mode: "requireSSL" } 
}, security: { authorization: "enabled" }, storage: { dbPath: "/data/db1" } }
2017-01-13T12:58:55.211+0000 I -        [initandlisten] Detected data files in /data/db1 created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-01-13T12:58:55.212+0000 W -        [initandlisten] Detected unclean shutdown - /data/db1/mongod.lock is not empty.
2017-01-13T12:58:55.212+0000 W STORAGE  [initandlisten] Recovering data from the last clean checkpoint.
2017-01-13T12:58:55.212+0000 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_max=4)
,config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-01-13T12:58:55.886+0000 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-01-13T12:58:55.886+0000 I CONTROL  [initandlisten]
2017-01-13T12:58:55.895+0000 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db1/diagnostic.data'
2017-01-13T12:58:55.897+0000 I NETWORK  [initandlisten] waiting for connections on port 27017 ssl
2017-01-13T12:58:55.897+0000 I NETWORK  [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-01-13T12:58:56.026+0000 I FTDC     [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OK

运行 mongod 后，我启动 mongo shell：

$ mongo --port 27017 -u "my username" -p "my password" 
--authenticationDatabase "" --ssl --sslPEMKeyFile /etc/ssl/client.pem 
--sslCAFile /etc/ssl/ca.pem --host tim

输出类似于马歇尔·法里尔提出的问题 https://stackoverflow.com/questions/35790287/self-signed-ssl-connection-using-pymongo#35967188;我们来看一下。

MongoDB shell version: 3.2.11
connecting to: 127.0.0.1:27017/datatest
2017-01-13T12:35:58.247+0000 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:38902 #8 (1 connection now open)
2017-01-13T12:35:58.259+0000 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate
2017-01-13T12:35:58.259+0000 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect@src/mongo/shell/mongo.js:231:14
@(connect):1:6

2017-01-13T12:35:58.263+0000 E NETWORK  [conn8] SSL peer certificate validation failed: self signed certificate
2017-01-13T12:35:58.263+0000 I NETWORK  [conn8] end connection 127.0.0.1:38902 (0 connections now open)

我究竟做错了什么？

经过一番搜索，这个错误似乎是由于主机名“CN”不正确造成的。

From 数字海洋 https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs:

每当您生成 CSR 时，系统都会提示您提供有关证书的信息。此信息称为可分辨名称 (DN)。 DN 中的一个重要字段是公用名 (CN)，它应该是您打算使用证书的主机的完全限定域名 (FQDN)。

同样来自 MongoDB文档 https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/#ssl-clients:

如果您的 MongoDB 部署使用 SSL，您还必须指定 --host 选项。 mongo 验证您要连接的 mongod 或 mongos 的主机名是否与 mongod 或 mongos 的 --sslPEMKeyFile 证书的 CN 或 SAN 匹配。如果主机名与 CN/SAN 不匹配，mongo 将无法连接。

解决方案：

我重新生成了密钥，将 localhost 替换为 CN = hostname> 并完成指南通过万·巴赫蒂亚尔 https://stackoverflow.com/questions/35790287/self-signed-ssl-connection-using-pymongo#35967188.

完成后运行以下命令有效：

$ mongo --port 27017 -u '<_username_>' -p '<_password_>' 
--authenticationDatabase "<_my db_>" --ssl --sslPEMKeyFile 
/etc/ssl/client.pem  --sslCAFile /etc/ssl/ca.pem --host localhost

笔记： MongoDB 严格规定谁可以访问哪些数据库，在 mongo shell 中进行快速测试：

> 显示数据库

返回错误。但是，我的用户实际上只能访问“my db>”，因此循环遍历“my db>” 工作完美。