Advice sought on configuring Data Gerry with Mongodb over TLS with self-signed CA

Community Support
1

Hi Everybody,

Would somebody mind offering some advice on configuring datagerry with Mongodb over TLS?

I have got a self-signed certificate in my mongodb instance.

# mongosh --tls "mongodb://localhost:27017/datagerry" --username datagser --tlsAllowInvalidCertificates
Enter password: ********************
Current Mongosh Log ID: 660d2312f79ea1a790783504
Connecting to:          mongodb://localhost:27017/datagerry?directConnection=true&serverSelectioutMS=2000
Using MongoDB:          7.0.7
Using Mongosh:          1.1.6
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
datagerry>

How should I configure Datagerry to use TLS to mongodb with a self-signed certificate?

e.g Should I put the CA somewhere for Datagerry to access it, or is there a parameter or switch that is similar to mongodb’s --tlsAllowInvalidCertificates ?

Many thanks and regards, S.

2

This might be a starting point:

$ cat /etc/datagerry/cmdb.conf
[Database]
host = tkdb2837.e.local
port = 27017
database_name = cmdb
username = datagerry_user
password = redacted.
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb-e.local.cer
tlsCertificateKeyFile=/etc/pki/tls/private/cmdb-e.local.key

…

3

Got this for the database:

Apr 29 11:58:38 cmdb1 datagerry[66092]: [2024-04-29 11:48:38][CRITICAL] --- CMDBError: Private key doesn't match certificate: [SSL] PEM lib (_ssl.c:4044) (__main__.py)

Are the PKI values meant to be the cer/key for the datagerry server, or the cer/key of the mongodb database server?

[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb1.cer
tlsCertificateKeyFile=cmdb1.key
4

I changed the cmdb.conf settings to:

[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true

And got what looks like a complaint about a self-signed certificate:

SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

datagerry[34642]: [2024-04-29 18:22:07][CRITICAL] --- DatabaseConnectionError: Could not connect to database cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms), Timeout: 30s, Topology Description: <TopologyDescription id: 662fd9f209179d27a5a3b366, topology_type: Unknown, servers: [<ServerDescription ('cmdb1db.x.y', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms)')>]> (__main__.py)

5

Have given up on TLS for the timebeing. Shall look into this again once I have got datagerry working.

6

Hi @sink1 ,
currently there are issues with self-signed certificates and DATAGERRY, we will have a deep dive into this topic in one of our upcoming releases.

BR Adnan

7

Hi,

Are SSL certificates issued by a CA supported and working with Datagerry?

8

Hi @sink1,
you can try to setup your SSL certificate like mentioned in the documentation for “setup via docker”.

https://datagerry.readthedocs.io/en/latest/admin_guide/setup.html#setup-via-docker-image

If you have any issues, please let us know.

BR Admam

9

Hi,

We do not use Docker. Each service is on a separate VM in a different VLAN.

You have referenced a page about Nginx. This is not my question.

The SSL certificates are for these connections:

Datagerry → Mongodb

Datagerry → RabbitMQ

10

Hi,
SSL/TLS for the stated routes is currently not implemented in DATAGERRY:

Datagerry → Mongodb
Datagerry → RabbitMQ

BR Adnan

11

SSL is a requirement for compliance.

Have you got a roadmap for this implementation?

12

We have already several features planned for this year. After the next release we will discuss in a team about the topics you mentioned.

BR Adnan

13

Hi Adnan,

Good news. I look forward to some positive feedback after the next release.

When is the next release?

14

The next release is planned to go live somewhere in the next month.

BR Adnan

1 Like
15

Hi Adnan,

Does the current release support connecttons from Datagerry to mondgodb over self-signed TLS certificates?

We plan to run the mongoDb on different virtual machines.

TIA

16

@adnan.smajic

Hi, Have you got an update on user self-signed and normal TLS certificates on MongoDb with datagerry?

17

Hi @sink1,
we were not able so far to look into it, since all our resources are now focused on the next release.

BR Adnan

18

Hi @adnan.smajic

I have got several mongodb servers set up to use with Datagerry from when we presumed it would work out of the box. We need to know whether it is worth our time leaving these servers running, or assigning the resources elsewhere.

Q1: Have you got a roadmap for SSL connections to Mongodb?

Q2: Did your development team discuss the signed and self-signed SSL issue?

I look forward to your prompt reply.

Many thanks.

Regards,
S.