I am using nodejs mongodb driver to connect to a self signed mongodb instance. The MongoDB and Mongo Shell version is 4.0.0. Below is the command to launch a self signed mongodb instance:
mongod --port 27018 --sslMode requireSSL --sslPEMKeyFile mongodb.pem --dbpath data
when I connect to this server with mongo shell, I can use below command without pem file:
mongo --port 27018 --ssl --sslAllowInvalidCertificates
I wonder what the PEM file is used for in the connection.
2 Answers 2
I know it's an old question, but just in case this helps someone else who stumbles upon this page looking for something like I did:
The PEM file is there for the server to provide a way to prove its identity for any client that requests it. It will basically ensure a secure connection for any client. And in a production environment, there would be a proper certificate, instead of a self-signed one. If you notice, when you remove the --sslAllowInvalidCertificates flag from the connection string, you'll get the following error message for a self-signed certificate:
Error: couldn't connect to server :, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: (800B0109)A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
The --sslAllowInvalidCertificates flag is given as a workaround for testing / development environments. Technically, the client could use it even when connecting to a production environment. But in that case, the loss is of the client only, as a rogue element could be posing as the server, and with this flag, the client wouldn't be able to verify the identity of the server. So, this flag should only be used when you are absolutely sure that you are connecting to the right server only. In your example, you are sure. But if you weren't, and you wanted to make sure that the server was really who it said it was, the PEM would come into the picture.
As per MongoDB documentation here Before you can use TLS/SSL, you must have a .pem file containing a public key certificate and its associated private key.
Note : For FIPS mode, ensure that the certificate is FIPS-compliant (i.e use of FIPS-compliant algorithms) and the private key meets the PKCS#8 standard. If you need to convert a private key to PKCS#8 format, various conversion tools exist, such as openssl pkcs8 and others.
MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. If you use a self-signed certificate, although the communications channel will be encrypted, there will be no validation of server identity. Although such a situation will prevent eavesdropping on the connection, it leaves you vulnerable to a man-in-the-middle attack. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity.
In general, avoid using self-signed certificates unless the network is trusted.
This operation generates a new, self-signed certificate with no passphrase that is valid for 365 days. Once you have the certificate, concatenate the certificate and private key to a .pem file, as in the following example:
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
For your further ref here
-
1This is what I did. My question is not about how to generate a self signed instance. The question is why connecting to a self-signed mongodb doesn't require private key.Joey Yi Zhao– Joey Yi Zhao2018年08月26日 22:08:29 +00:00Commented Aug 26, 2018 at 22:08