sink1
April 8, 2024, 8:25am
1
Hi Everybody,
Would somebody mind offering some advice on configuring datagerry with Mongodb over TLS?
I have got a self-signed certificate in my mongodb instance.
# mongosh --tls "mongodb://localhost:27017/datagerry" --username datagser --tlsAllowInvalidCertificates
Enter password: ********************
Current Mongosh Log ID: 660d2312f79ea1a790783504
Connecting to: mongodb://localhost:27017/datagerry?directConnection=true&serverSelectioutMS=2000
Using MongoDB: 7.0.7
Using Mongosh: 1.1.6
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
datagerry>
How should I configure Datagerry to use TLS to mongodb with a self-signed certificate?
e.g Should I put the CA somewhere for Datagerry to access it, or is there a parameter or switch that is similar to mongodb’s --tlsAllowInvalidCertificates ?
Many thanks and regards, S.
sink1
April 15, 2024, 11:07am
2
This might be a starting point:
$ cat /etc/datagerry/cmdb.conf
[Database]
host = tkdb2837.e.local
port = 27017
database_name = cmdb
username = datagerry_user
password = redacted.
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb-e.local.cer
tlsCertificateKeyFile=/etc/pki/tls/private/cmdb-e.local.key
…
sink1
April 29, 2024, 11:48am
3
Got this for the database:
Apr 29 11:58:38 cmdb1 datagerry[66092]: [2024-04-29 11:48:38][CRITICAL] --- CMDBError: Private key doesn't match certificate: [SSL] PEM lib (_ssl.c:4044) (__main__.py)
Are the PKI values meant to be the cer/key for the datagerry server, or the cer/key of the mongodb database server?
[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true
tlsCAFile=/etc/pki/tls/certs/cmdb1.cer
tlsCertificateKeyFile=cmdb1.key
sink1
April 29, 2024, 5:38pm
4
I changed the cmdb.conf settings to:
[Database]
host = cmdb1db.x.y
port = 27017
database_name = cmdb
username = datagerry_user
password = abcabcabc
tls = true
And got what looks like a complaint about a self-signed certificate:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate
datagerry[34642]: [2024-04-29 18:22:07][CRITICAL] --- DatabaseConnectionError: Could not connect to database cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms), Timeout: 30s, Topology Description: <TopologyDescription id: 662fd9f209179d27a5a3b366, topology_type: Unknown, servers: [<ServerDescription ('cmdb1db.x.y', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('cmdb1db.x.y:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129) (configured timeouts: socketTimeoutMS: 20000.0ms, connectTimeoutMS: 20000.0ms)')>]> (__main__.py)
sink1
April 30, 2024, 9:17am
5
Have given up on TLS for the timebeing. Shall look into this again once I have got datagerry working.
Hi @sink1 ,
currently there are issues with self-signed certificates and DATAGERRY, we will have a deep dive into this topic in one of our upcoming releases.
BR Adnan
sink1
May 7, 2024, 8:03am
7
Hi,
Are SSL certificates issued by a CA supported and working with Datagerry?
Hi @sink1 ,
you can try to setup your SSL certificate like mentioned in the documentation for “setup via docker”.
https://datagerry.readthedocs.io/en/latest/admin_guide/setup.html#setup-via-docker-image
If you have any issues, please let us know.
BR Admam
sink1
May 8, 2024, 7:54am
9
Hi,
We do not use Docker. Each service is on a separate VM in a different VLAN.
You have referenced a page about Nginx. This is not my question.
The SSL certificates are for these connections:
Datagerry → Mongodb
Datagerry → RabbitMQ
Hi,
SSL/TLS for the stated routes is currently not implemented in DATAGERRY:
Datagerry → Mongodb
Datagerry → RabbitMQ
BR Adnan
sink1
May 8, 2024, 9:03am
11
SSL is a requirement for compliance.
Have you got a roadmap for this implementation?
We have already several features planned for this year. After the next release we will discuss in a team about the topics you mentioned.
BR Adnan
sink1
May 14, 2024, 7:19am
13
Hi Adnan,
Good news. I look forward to some positive feedback after the next release.
When is the next release?
The next release is planned to go live somewhere in the next month.
BR Adnan
1 Like