主页 / coding / 问题 / 79256228
Accepted
jurijus01
Asked: 2024-12-06 05:09:04 +0800 CST

Compass 和 MongoDB VPS 实例无法建立 TLS 连接

  • 772

Compass 无法与 VPS MongoDB 实例建立连接。以下是日志:

{"t":{"$date":"2024-12-05T20:38:26.097+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"185.121.228.66:51324","uuid":{"uuid":{"$uuid":"5f86b525-d80e-45ea-b05d-ca1e33028b58"}},"connectionId":52,"connectionCount":1}}
{"t":{"$date":"2024-12-05T20:38:26.111+00:00"},"s":"I",  "c":"NETWORK",  "id":6723804, "ctx":"conn52","msg":"Ingress TLS handshake complete","attr":{"durationMillis":13}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"conn52","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: unable to get issuer certificate"}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"I",  "c":"EXECUTOR", "id":22988,   "ctx":"conn52","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL peer certificate validation failed: unable to get issuer certificate"},"remote":"185.121.228.66:51324","connectionId":52}}
{"t":{"$date":"2024-12-05T20:38:26.112+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn52","msg":"Connection ended","attr":{"remote":"185.121.228.66:51324","uuid":{"uuid":{"$uuid":"5f86b525-d80e-45ea-b05d-ca1e33028b58"}},"connectionId":52,"connectionCount":0}}

不知道是什么导致了这个问题。文件两端的内容相同且可读。

mongo.conf:

net:
  port: 27017
#  bindIp: 127.0.0.1
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/certAndKey.pem
    CAFile: /etc/ssl/chain.pem

之前我在 VPS 端尝试过 NGINX,Compass 可以正常建立连接。我觉得问题出在 MongoDB 端。

certAndKey 内容:

-----BEGIN CERTIFICATE-----
MIIDkTCCAxigAwIBAgISBFenOkN8BKV0K4KSsaH2eRvgMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDExMTkxNzI4MDdaFw0yNTAyMTcxNzI4MDZaMBkxFzAVBgNVBAMTDmdp
ZnRidXR0b24uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExl2N7OsKn6or
Ggzf2xGQPjQNMks8/c9E1h3djOkojbzX0ppmqrxTaiM2eIYClj9vN3zMCecq1zEi
JGPt3GHPpaOCAiUwggIhMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUHYpnb2g9Bcvf
bm/tfcpVsPUk3CgwHwYDVR0jBBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYI
KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcw
IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIS
YXBpLmdpZnRidXR0b24uY29tgg5naWZ0YnV0dG9uLmNvbTATBgNVHSAEDDAKMAgG
BmeBDAECATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKLjCuRF772tm3447Udn
d1PXgluElNcrXhssxLlQpEfnAAABk0WtLcQAAAQDAEcwRQIhAOk5pkZCkA3w7fU9
zM1TBFxZ0QnCRXAofLDz9YGCLLf/AiBz7ulKlnh2TtRNvEeaCMf19ryUp8HLWNp7
puhy1QtfzAB3ABNK3xq1mEIJeAxv70x6kaQWtyNJzlhXat+u2qfCq+AiAAABk0Wt
LnUAAAQDAEgwRgIhAIMOfLTk7kj1NcgmIblD9w+5LUozjkKpJyY6BzODUsylAiEA
+D7IEh5HpCMuR8QTjRM/zoOHoY1RK/lKhTbM1mJlKtgwCgYIKoZIzj0EAwMDZwAw
ZAIwF+1iepR6GfMqOFjfNGoRPLBz2Tpb9KwGK1P+brUbFxj+Ajpz6O8mt+EKAj8Y
EwwFAjAyPdWjZ/Y0KGWA6bsC0ltNyBGe0rUru8Rx1pLoYqA4TmcPpjbFbEVxVkCq
o5KZMN0=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg57A06iepOf1s1AYI
+UZCoiE69mtRSZ+NgKBcf1xaMtahRANCAATGXY3s6wqfqisaDN/bEZA+NA0ySzz9
z0TWHd2M6SiNvNfSmmaqvFNqIzZ4hgKWP283fMwJ5yrXMSIkY+3cYc+l
-----END PRIVATE KEY-----

链.pem:

-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----

还有 fullchain.pem 文件,但没有使用它。所有证书都是通过 Certbot 从 LetsEncrypt 获得的。

有什么想法为什么 VPS 上的 MongoDB 不喜欢 Compass 尝试传达的内容?

mongodb

3 个回答

  1. 目前 certAndKey.pem 包含

    Subject: CN = giftbutton.com
Issuer: C = US, O = Let's Encrypt, CN = E6

    并且 chain.pem 包含

    Subject: C = US, O = Let's Encrypt, CN = E6
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

    作为 CAFile 传递的 .pem 文件应该只包含根证书,即 ISRG Root X1。您需要获取该根证书并将其传递到 CAFile 中。

    将中间证书、服务器证书、服务器私钥放在同一个文件中,作为certificateKeyFile传递。

    • 0
  2. Best Answer

    将根证书添加到您的 CA。chain.pem文件应如下所示:

    -----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

    通常,Let's Encrypt 证书存储在您的本地证书存储中,因此您也可以使用tlsUseSystemCA。我认为在 Compass 和 mongosh 中它甚至是默认的。

    • 0

  3. 总结一下 Wernfried Domscheit 提供的解决方案,用通俗易懂的英语来表达,因为这个证书让我们非常困惑。因为 LetsEncrypt 的 Certbot 会为您生成以下文件:

    1) cert.pem (as known as "Your server certificate")
2) chain.pem (as known as "Intermediate certificate")
3) fullchain.pem (2 of the above in a single file. The 1st half is erver cert, the other half is intermediate cert. Anyhow this file is useless in our case and adds more confusion, so ignore this file)
4) privkey.pem

    您需要执行以下操作:

    1. 创建一个包含服务器证书和私钥的文件;
    2. 创建另一个包含中间证书和 RootCA 的文件。

    Certbot 不提供 RootCA!您需要直接从 LetEncrypt 网站下载。

    https://letsencrypt.org/certificates/][1]

    它是 ISRG Root X1,自签名的。这是直接链接

    [https://letsencrypt.org/certs/isrgrootx1.pem][1]

    至于你的 mongod.cong,tls 部分应该是这样的:

    tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/certKey.pem
    CAFile: /etc/ssl/intermRoot.pem

    至于 Compass 连接,显然,只有“客户端证书和密钥(.pem)”文件才是您的 certKey 文件,就足以进行连接。

    • 0

相关问题