主页 / coding / 问题 / 79279812
Accepted
jurijus01
Asked: 2024-12-14 07:39:45 +0800 CST

Compass 无法使用 OpenSSL 证书通过 TLS 连接到 MongoDB

  • 772

尝试通过 TLS 将 Compass 连接到 VPS 上的 MongoDB 实例的久经考验的方法。如果证书来自 LetsEnctrypt CA(使用 CertBot 生成),则需要 2 个文件:

  1. CertAndKey.pem,包含主机证书及其私钥;
  2. intermAndRoot.pem,包含Certbot提供的chain.pem和直接从LetsEncrypt网站下载的rootCA证书。

一切正常。连接已建立。

但是,对于使用 OpenSSL 生成的自定义 CA,同样的方法不起作用。MongoDB 日志提供错误“证书用途不合适”

我按照这个出色的播放列表创建了 OpenSSL 证书链: TechLAB

我相信我做对了,因为所有 3 个证书都是不同的,并且内部证书和主机证书都通过了根证书的验证。

我的根 CA 是:

-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----

中级证书是:

-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----

主机证书是:

-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----

非常感谢您对导致该问题的原因的任何想法!

mongodb

1 个回答

  1. Best Answer

    以下是生成证书的配置文件和命令:

    # root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com


# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

    许多教程使用 生成公钥/私钥openssl genrsa ...。当您仅将密钥用于一个证书时,使用证书 (选项 ) 自动创建密钥会更容易-newkey 4096。这样可以少一个命令。

    通常,当您需要证书时,您会创建证书请求并将其发送给拥有 CA 的个人/部门。他们会接收您的证书请求,使用其 CA 对其进行签名,然后将签名的证书返回给您。如果您是 CA 的所有者,则无需执行此步骤。您可以使用单个命令创建和签名证书请求。这样就少了一个命令。

    看起来您喜欢使用服务器和客户端证书以及中间 CA。因此,最终通过 4 条命令创建了 4 个证书:

    openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt

openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt

openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt

openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt

    除了配置文件,您还可以将所有参数放在命令行中。因此,也许-config client.conf可以使用它-subj "C=AU/O=giftbutton/OU=My\ Division/CN=Mongo\ Client" -addext "keyUsage=critical/keyCertSign/cRLSign" -addext "basicConstraints=critical,CA:true" -addext "subjectKeyIdentifier=hash"- 但我没有测试!

    为了使用它们,您必须将它们合并到文件中:

    cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem

    然后它们就可以使用了。在服务器端使用

    net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: server.pem
    CAFile: ca-chain.crt

    在 Compass 中,使用如下连接字符串:

    mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt

    笔记:

    下载最新版本的 openssl(版本 3.4)。旧版本-copy_extensions copyall不支持该选项,您需要将该[v3_ca]部分放入扩展配置文件中,然后使用 加载此文件-extensions v3_ca -extfile ...

    正如前面提到的,我建议下载并安装XCA。它使用起来非常简单,您可以通过简单的复制/粘贴或拖放导入现有(工作)证书。然后您可以检查属性,并根据需要创建类似的证书或请求,并可以以您想要的任何格式导出它们。它确实是了解 x.509 证书秘密的有用工具。

    在此处输入图片描述

    • 1

相关问题