Advice sought on configuring Data Gerry with Mongodb over TLS with self-signed CA

Hi Everybody,

Would somebody mind offering some advice on configuring datagerry with Mongodb over TLS?

I have got a self-signed certificate in my mongodb instance.

# mongosh --tls "mongodb://localhost:27017/datagerry" --username datagser --tlsAllowInvalidCertificates
Enter password: ********************
Current Mongosh Log ID: 660d2312f79ea1a790783504
Connecting to:          mongodb://localhost:27017/datagerry?directConnection=true&serverSelectioutMS=2000
Using MongoDB:          7.0.7
Using Mongosh:          1.1.6
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
datagerry>

How should I configure Datagerry to use TLS to mongodb with a self-signed certificate?

e.g Should I put the CA somewhere for Datagerry to access it, or is there a parameter or switch that is similar to mongodb’s --tlsAllowInvalidCertificates ?

Many thanks and regards, S.

This might be a starting point:

$ cat /etc/datagerry/cmdb.conf
[Database]
host = tkdb2837.e.local
port = 27017
database_name = cmdb
username = datagerry_user
password = redacted.
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb-e.local.cer
tlsCertificateKeyFile=/etc/pki/tls/private/cmdb-e.local.key

Got this for the database:

Apr 29 11:58:38 cmdb1 datagerry[66092]: [2024-04-29 11:48:38][CRITICAL] --- CMDBError: Private key doesn't match certificate: [SSL] PEM lib (_ssl.c:4044) (__main__.py)

Are the PKI values meant to be the cer/key for the datagerry server, or the cer/key of the mongodb database server?

[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb1.cer
tlsCertificateKeyFile=cmdb1.key

I changed the cmdb.conf settings to:

[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true

And got what looks like a complaint about a self-signed certificate:

SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

datagerry[34642]: [2024-04-29 18:22:07][CRITICAL] --- DatabaseConnectionError: Could not connect to database cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms), Timeout: 30s, Topology Description: <TopologyDescription id: 662fd9f209179d27a5a3b366, topology_type: Unknown, servers: [<ServerDescription ('cmdb1db.x.y', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms)')>]> (__main__.py)

Have given up on TLS for the timebeing. Shall look into this again once I have got datagerry working.

Hi @sink1 ,
currently there are issues with self-signed certificates and DATAGERRY, we will have a deep dive into this topic in one of our upcoming releases.

BR Adnan

Hi,

Are SSL certificates issued by a CA supported and working with Datagerry?

Hi @sink1,
you can try to setup your SSL certificate like mentioned in the documentation for “setup via docker”.

https://datagerry.readthedocs.io/en/latest/admin_guide/setup.html#setup-via-docker-image

If you have any issues, please let us know.

BR Admam

Hi,

We do not use Docker. Each service is on a separate VM in a different VLAN.

You have referenced a page about Nginx. This is not my question.

The SSL certificates are for these connections:

Datagerry → Mongodb

Datagerry → RabbitMQ

Hi,
SSL/TLS for the stated routes is currently not implemented in DATAGERRY:

Datagerry → Mongodb
Datagerry → RabbitMQ

BR Adnan

SSL is a requirement for compliance.

Have you got a roadmap for this implementation?

We have already several features planned for this year. After the next release we will discuss in a team about the topics you mentioned.

BR Adnan

Hi Adnan,

Good news. I look forward to some positive feedback after the next release.

When is the next release?

The next release is planned to go live somewhere in the next month.

BR Adnan

1 Like