Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating Replsets,Database and Users with TLS #763

Open
svbroeker opened this issue May 24, 2024 · 3 comments
Open

Creating Replsets,Database and Users with TLS #763

svbroeker opened this issue May 24, 2024 · 3 comments

Comments

@svbroeker
Copy link

svbroeker commented May 24, 2024
edited
Loading

I've discoverd a problem with creating replicasets, databases and users when TLS is enabled and the certificates doesn't include 127.0.0.1 as name.
The mongosh command is using 127.0.0.1 as host to connect but this is not working because the connection via tls doesn't work because the 127.0.0.1 isn't in.

This happens because the listening IPs are used for connections here:

puppet-mongodb/lib/puppet/provider/mongodb.rb

Line 85 in f1affe4

def self.conn_string
this works for nonTLS setups fine but with TLS it may break sometimes.

I think a solution can be that you can define the host for the mongosh to connect to mongodb. In my case it would help that he uses the fqdn to connect.

Error: /Stage[main]/Mongodb::Replset/Mongodb_replset[mongodb-standalone-cm12-dev]: Could not evaluate: Can't connect to any member of replicaset mongodb-standalone-cm12-dev. Error: Could not prefetch mongodb_database provider 'mongodb': Execution of '/usr/bin/mongosh admin --quiet --host 127.0.0.1:27017 --tls --tlsCertificateKeyFile /etc/ssl/mongo/server.pem --eval db.isMaster().ismaster' returned 1: MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list:
I've now made the work around to set allowInvalidHostnames: true but thats not a good way to handle this.
@svbroeker
Copy link
Author

svbroeker commented May 24, 2024
edited
Loading

I've an idea to fix this issue but i dont have the experience to know if that works for all cases.

  def self.conn_string
    config = mongo_conf
    bindip = config.fetch('bindip')
    if bindip
      first_ip_in_list = bindip.split(',').first
      ip_real = case first_ip_in_list
                when '0.0.0.0'
                  Facter.value(:fqdn)
                when %r{\[?::0\]?}
                  '::1'
                else
                  first_ip_in_list
                end
    end

@stevenpost
Copy link
Contributor

Isn't this going to be an issue when auth is enabled, as the initial setup needs to happen using localhost? That was the reason I changed the code to how it is now.

@stevenpost
Copy link
Contributor

FWIW, my script to create the certificates adds 127.0.0.1 for this reason. So not sure how to get around this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevenpost @svbroeker