无法使用自签名证书连接到 mongodb，docker 容器中的 mongodb

Question

我创建了一个带有 mongodb 图像的 docker 容器。 我按照本指南为与数据库的安全连接创建了一个自签名证书。

我开始尝试与这些证书建立连接，其中 rootCA.pem 是将成为验证者的计算机的自签名证书，在这种情况下相同。 而mongodb.pem是服务器的.key+.crt。

root@8bc7b8cd6a0d:/# mongo --tls --tlsCAFile /data/db/certs/rootCA.pem --tlsCertificateKeyFile /data/db/certs/mongodb.pem --host 172.17.0.2:27017
MongoDB shell version v4.2.6
connecting to: mongodb://172.17.0.2:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-04-29T09:21:21.255+0000 E  QUERY    [js] Error: couldn't connect to server 172.17.0.2:27017, connection attempt failed: SocketException: stream truncated :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-04-29T09:21:21.259+0000 F  -        [main] exception: connect failed
2020-04-29T09:21:21.259+0000 E  -        [main] exiting with code 1
root@8bc7b8cd6a0d:/#


root@8bc7b8cd6a0d:/# mongo --tls --tlsCAFile /data/db/certs/rootCA.pem --tlsCertificateKeyFile /data/db/certs/mongodb.pem                        
MongoDB shell version v4.2.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-05-05T19:39:52.308+0000 E  QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: stream truncated :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-05-05T19:39:52.358+0000 F  -        [main] exception: connect failed
2020-05-05T19:39:52.359+0000 E  -        [main] exiting with code 1
root@8bc7b8cd6a0d:/#

证书存储在以下目录中，该目录位于容器的卷中，用于存储数据库中的数据。

root@auzal-virtual-machine:/opt/mimongo# ls certs
mongodb.crt  mongodb.csr  mongodb.key  mongodb.pem  rootCA.key  rootCA.pem  rootCA.srl

最后配置文件的结构如下，这个文件是原文件的副本，我这样说是为了防止你看到名字和正常的不一样：

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: requireSSL
    PEMKeyFile: /data/db/certs/mongodb.pem
    CAFile: /data/db/certs/rootCA.pem


# how the process runs
processManagement:
  timeZoneInfo: /usr/share/zoneinfo

#security:

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

我不知道为什么会出现该错误，可能是我解释了证书有问题而没有指出正确的证书吗？ 我收到的错误是什么？

使用数据库中的语句查看日志我收到以下错误，但是主配置文件中有此功能：

Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support.

您看到的身份验证来自管理员用户，但没有证书

"2020-05-06T21:46:58.796+0000 I  NETWORK  [conn3] end connection 127.0.0.1:56360 (0 connections now open)",
"2020-05-06T21:47:02.052+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56362 #4 (1 connection now open)",
"2020-05-06T21:47:02.053+0000 I  NETWORK  [conn4] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56362 (connection id: 4)",
"2020-05-06T21:47:02.053+0000 I  NETWORK  [conn4] end connection 127.0.0.1:56362 (0 connections now open)",
"2020-05-06T21:47:08.628+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56364 #5 (1 connection now open)",
"2020-05-06T21:47:08.629+0000 I  NETWORK  [conn5] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56364 (connection id: 5)",
"2020-05-06T21:47:08.629+0000 I  NETWORK  [conn5] end connection 127.0.0.1:56364 (0 connections now open)",
"2020-05-06T21:47:11.815+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56366 #6 (1 connection now open)",
"2020-05-06T21:47:11.816+0000 I  NETWORK  [conn6] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56366 (connection id: 6)",
"2020-05-06T21:47:11.817+0000 I  NETWORK  [conn6] end connection 127.0.0.1:56366 (0 connections now open)",
"2020-05-06T21:47:21.515+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56368 #7 (1 connection now open)",
"2020-05-06T21:47:21.515+0000 I  NETWORK  [conn7] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56368 (connection id: 7)",
"2020-05-06T21:47:21.516+0000 I  NETWORK  [conn7] end connection 127.0.0.1:56368 (0 connections now open)",
"2020-05-06T21:50:17.250+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56374 #8 (1 connection now open)",
"2020-05-06T21:50:17.251+0000 I  NETWORK  [conn8] Error receiving request from client: SSLHandshakeFailed: SSL handshake received but server is started without SSL support. Ending connection from 127.0.0.1:56374 (connection id: 8)",
"2020-05-06T21:50:17.251+0000 I  NETWORK  [conn8] end connection 127.0.0.1:56374 (0 connections now open)",
"2020-05-06T21:51:48.008+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56396 #9 (1 connection now open)",
"2020-05-06T21:51:48.009+0000 I  NETWORK  [conn9] received client metadata from 127.0.0.1:56396 conn9: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:51:54.405+0000 I  NETWORK  [conn9] end connection 127.0.0.1:56396 (0 connections now open)",
"2020-05-06T21:52:03.681+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56402 #10 (1 connection now open)",
"2020-05-06T21:52:03.682+0000 I  NETWORK  [conn10] received client metadata from 127.0.0.1:56402 conn10: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:52:03.682+0000 I  SHARDING [conn10] Marking collection admin.system.users as collection version: <unsharded>",
"2020-05-06T21:52:03.776+0000 I  ACCESS   [conn10] SASL SCRAM-SHA-256 authentication failed for admin on admin from client 127.0.0.1:56402 ; AuthenticationFailed: SCRAM authentication failed, storedKey mismatch",
"2020-05-06T21:52:03.786+0000 I  NETWORK  [conn10] end connection 127.0.0.1:56402 (0 connections now open)",
"2020-05-06T21:52:16.138+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:56404 #11 (1 connection now open)",
"2020-05-06T21:52:16.139+0000 I  NETWORK  [conn11] received client metadata from 127.0.0.1:56404 conn11: { application: { name: \"MongoDB Shell\" }, driver: { name: \"MongoDB Internal Client\", version: \"4.2.6\" }, os: { type: \"Linux\", name: \"Ubuntu\", architecture: \"x86_64\", version: \"18.04\" } }",
"2020-05-06T21:52:16.215+0000 I  ACCESS   [conn11] Successfully authenticated as principal admin on admin from client 127.0.0.1:56404"
],
"ok" : 1
}
> db.adminCommand( { getLog: "global" } )

Answer 1

创建证书时，我遵循了本指南。 我最初使用从这里创建的证书，但它不起作用。 使用服务器证书就可以了。