如何使用 SSL 从节点 js 连接到 mongodb 副本集

【问题标题】:How to connect from node js to mongodb replica set using SSL如何使用 SSL 从节点 js 连接到 mongodb 副本集
【发布时间】:2017-01-26 15:45:27
【问题描述】:

我正在尝试连接到设置为使用 SSL 对客户端进行身份验证的 mongodb 副本集。我可以使用 mongo shell 进行连接,但由于某种原因无法使用相同的键从 node.js 进行连接。
我正在使用 mongodb 版本 3.2.6 和 node.js 驱动程序版本 2.1.18,在 mac 上运行。

我关注了this article,并且能够通过运行附加的脚本在我的本地机器上设置一个集群:

# Prerequisites:
#   a. Make sure you have MongoDB Enterprise installed. 
#   b. Make sure mongod/mongo are in the executable path
#   c. Make sure no mongod running on 27017 port, or change the port below
#   d. Run this script in a clean directory

##### Feel free to change following section values ####
# Changing this to include: country, province, city, company
dn_prefix="/C=CN/ST=GD/L=Shenzhen/O=MongoDB China"
ou_member="MyServers"
ou_client="MyClients"
mongodb_server_hosts=( "server1" "server2" "server3" )
mongodb_client_hosts=( "client1" "client2" )
mongodb_port=27017


# make a subdirectory for mongodb cluster
kill $(ps -ef | grep mongod | grep set509 | awk '{print $2}')
#rm -Rf db/*
mkdir -p db

echo "##### STEP 1: Generate root CA "
openssl genrsa -out root-ca.key 2048
# !!! In production you will want to use -aes256 to password protect the keys
# openssl genrsa -aes256 -out root-ca.key 2048

openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -subj "$dn_prefix/CN=ROOTCA"

mkdir -p RootCA/ca.db.certs
echo "01" >> RootCA/ca.db.serial
touch RootCA/ca.db.index
echo $RANDOM >> RootCA/ca.db.rand
mv root-ca* RootCA/

echo "##### STEP 2: Create CA config"
# Generate CA config
cat >> root-ca.cfg <<EOF
[ RootCA ]
dir             = ./RootCA
certs           = \$dir/ca.db.certs
database        = \$dir/ca.db.index
new_certs_dir   = \$dir/ca.db.certs
certificate     = \$dir/root-ca.crt
serial          = \$dir/ca.db.serial
private_key     = \$dir/root-ca.key
RANDFILE        = \$dir/ca.db.rand
default_md      = sha256
default_days    = 365
default_crl_days= 30
email_in_dn     = no
unique_subject  = no
policy          = policy_match

[ SigningCA ]
dir             = ./SigningCA
certs           = \$dir/ca.db.certs
database        = \$dir/ca.db.index
new_certs_dir   = \$dir/ca.db.certs
certificate     = \$dir/signing-ca.crt
serial          = \$dir/ca.db.serial
private_key     = \$dir/signing-ca.key
RANDFILE        = \$dir/ca.db.rand
default_md      = sha256
default_days    = 365
default_crl_days= 30
email_in_dn     = no
unique_subject  = no
policy          = policy_match

[ policy_match ]
countryName     = match
stateOrProvinceName = match
localityName            = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
EOF

echo "##### STEP 3: Generate signing key"
# We do not use root key to sign certificate, instead we generate a signing key
openssl genrsa -out signing-ca.key 2048
# !!! In production you will want to use -aes256 to password protect the keys
# openssl genrsa -aes256 -out signing-ca.key 2048

openssl req -new -days 1460 -key signing-ca.key -out signing-ca.csr -subj "$dn_prefix/CN=CA-SIGNER"
openssl ca -batch -name RootCA -config root-ca.cfg -extensions v3_ca -out signing-ca.crt -infiles signing-ca.csr 

mkdir -p SigningCA/ca.db.certs
echo "01" >> SigningCA/ca.db.serial
touch SigningCA/ca.db.index
# Should use a better source of random here..
echo $RANDOM >> SigningCA/ca.db.rand
mv signing-ca* SigningCA/

# Create root-ca.pem
cat RootCA/root-ca.crt SigningCA/signing-ca.crt > root-ca.pem



echo "##### STEP 4: Create server certificates"
# Now create & sign keys for each mongod server 
# Pay attention to the OU part of the subject in "openssl req" command
# You may want to use FQDNs instead of short hostname
for host in "${mongodb_server_hosts[@]}"; do
    echo "Generating key for $host"
    openssl genrsa  -out ${host}.key 2048
    openssl req -new -days 365 -key ${host}.key -out ${host}.csr -subj "$dn_prefix/OU=$ou_member/CN=${host}"
    openssl ca -batch -name SigningCA -config root-ca.cfg -out ${host}.crt -infiles ${host}.csr
    cat ${host}.crt ${host}.key > ${host}.pem   
done 

echo "##### STEP 5: Create client certificates"
# Now create & sign keys for each client
# Pay attention to the OU part of the subject in "openssl req" command
for host in "${mongodb_client_hosts[@]}"; do
    echo "Generating key for $host"
    openssl genrsa  -out ${host}.key 2048
    openssl req -new -days 365 -key ${host}.key -out ${host}.csr -subj "$dn_prefix/OU=$ou_client/CN=${host}"
    openssl ca -batch -name SigningCA -config root-ca.cfg -out ${host}.crt -infiles ${host}.csr
    cat ${host}.crt ${host}.key > ${host}.pem
done 

echo ""
echo "##### STEP 6: Start up replicaset in non-auth mode"
mport=$mongodb_port
for host in "${mongodb_server_hosts[@]}"; do
    echo "Starting server $host in non-auth mode"   
    mkdir -p ./db/${host}
    mongod --replSet set509 --port $mport --dbpath ./db/$host \
        --fork --logpath ./db/${host}.log       
    let "mport++"
done 
sleep 3
# obtain the subject from the client key:
client_subject=`openssl x509 -in ${mongodb_client_hosts[0]}.pem -inform PEM -subject -nameopt RFC2253 | grep subject | awk '{sub("subject= ",""); print}'`

echo "##### STEP 7: setup replicaset & initial user role\n"
myhostname=`hostname`
cat > setup_auth.js <<EOF
rs.initiate();
mport=$mongodb_port;
mport++;
rs.add("$myhostname:" + mport);
mport++;
rs.add("$myhostname:" + mport);
sleep(5000);
db.getSiblingDB("\$external").runCommand(
    {
        createUser: "$client_subject",
        roles: [
             { role: "readWrite", db: 'test' },
             { role: "userAdminAnyDatabase", db: "admin" },
             { role: "clusterAdmin", db:"admin"}
           ],
        writeConcern: { w: "majority" , wtimeout: 5000 }
    }
);
EOF
cat setup_auth.js
mongo localhost:$mongodb_port setup_auth.js 
kill $(ps -ef | grep mongod | grep set509 | awk '{print $2}')
sleep 3

echo "##### STEP 8: Restart replicaset in x.509 mode\n"
mport=$mongodb_port
for host in "${mongodb_server_hosts[@]}"; do
    echo "Starting server $host"    
    mongod --replSet set509 --port $mport --dbpath ./db/$host \
        --sslMode requireSSL --clusterAuthMode x509 --sslCAFile root-ca.pem \
        --sslAllowInvalidHostnames --fork --logpath ./db/${host}.log \
        --sslPEMKeyFile ${host}.pem --sslClusterFile ${host}.pem
    let "mport++"
done 


# echo "##### STEP 9: Connecting to replicaset using certificate\n"
cat > do_login.js <<EOF
db.getSiblingDB("\$external").auth(
  {
    mechanism: "MONGODB-X509",
    user: "$client_subject"
  }
)
EOF

# mongo --ssl --sslPEMKeyFile client1.pem --sslCAFile root-ca.pem --sslAllowInvalidHostnames --shell do_login.js

运行集群后,我可以使用 mongo shell 使用此命令连接到它(所有密钥\证书都在 ./ssl 目录中生成):

mongo --ssl --sslPEMKeyFile ssl/client1.pem --sslCAFile ssl/root-ca.pem --sslAllowInvalidHostnames

并按如下方式进行身份验证:

db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509",
    user: "CN=client1,OU=MyClients,O=MongoDB China,L=Shenzhen,ST=GD,C=CN"
  }
)

当我尝试从 node.js 连接时,我一直失败。我正在运行以下代码以使用本机 mongo 驱动程序连接到 mongo:

'use strict';

const mongodb = require('mongodb');
const P = require('bluebird');
const fs = require('fs');

function connect_mongodb() {
    let user = 'CN=client1,OU=MyClients,O=MongoDB China,L=Shenzhen,ST=GD,C=CN';
    let uri = `mongodb://${encodeURIComponent(user)}@localhost:27017,localhost:27018,localhost:27019/test?replicaSet=set509&authMechanism=MONGODB-X509&ssl=true`;
    var ca = [fs.readFileSync("./ssl/root-ca.pem")];
    var cert = fs.readFileSync("./ssl/client1.pem");
    var key = fs.readFileSync("./ssl/client1.pem");
    let options = {
        promiseLibrary: P,
        server: {
            ssl: true,
            sslValidate: false,
            checkServerIdentity: false,
            sslCA: ca,
            sslKey: key,
            sslCert: cert,
        },
        replset: {
            sslValidate: false,
            checkServerIdentity: false,
            ssl: true,
            sslCA: ca,
            sslKey: key,
            sslCert: cert,
        }
    };
    return mongodb.MongoClient.connect(uri, options);
}

connect_mongodb();

运行脚本时出现以下错误:

Unhandled rejection MongoError: no valid seed servers in list

检查 mongodb 日志时,我看到以下错误:

2017-01-17T22:48:54.191+0200 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:63881 #99 (5 connections now open)
2017-01-17T22:48:54.207+0200 E NETWORK  [conn99] no SSL certificate provided by peer; connection rejected
2017-01-17T22:48:54.207+0200 I NETWORK  [conn99] end connection 127.0.0.1:63881 (4 connections now open)

我尝试了不同的选项described here,但没有成功。

感谢您的帮助

【问题讨论】:

    标签: node.js mongodb ssl


    【解决方案1】:

    升级到mongodb node js driver 2.2.22 解决问题

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2012-12-04
      • 2013-11-02
      • 1970-01-01
      • 2021-06-08
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode