Mongodb Mongo Gandi SSL证书不受信任
我在MongoDB上遇到了使用SSL模式的问题。 当我尝试连接我的数据库时,出现了此错误Mongodb Mongo Gandi SSL证书不受信任,mongodb,ssl,trusted,Mongodb,Ssl,Trusted,我在MongoDB上遇到了使用SSL模式的问题。 当我尝试连接我的数据库时,出现了此错误 mongo --ssl --sslCAFile /etc/ssl/certs/GandiStandardSSLCA2.pem --host plip.plop.com MongoDB shell version: 3.0.6 connecting to: plip.plop.com:27017/test 2015-10-16T10:24:23.122+0000 E NETWORK SSL peer c
mongo --ssl --sslCAFile /etc/ssl/certs/GandiStandardSSLCA2.pem --host plip.plop.com
MongoDB shell version: 3.0.6
connecting to: plip.plop.com:27017/test
2015-10-16T10:24:23.122+0000 E NETWORK SSL peer certificate validation failed:certificate not trusted
2015-10-16T10:24:23.126+0000 E QUERY Error: socket exception [CONNECT_ERROR] for
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
我的服务器响应:
2015-10-16T10:26:53.034+0000 I NETWORK [initandlisten] connection accepted from 172.17.0.227:48786 #1 (1 connection now open)
2015-10-16T10:26:53.046+0000 W NETWORK [conn1] no SSL certificate provided by peer
2015-10-16T10:26:53.046+0000 I NETWORK [conn1] end connection 172.17.0.227:48786 (0 connections now open)
(如果我使用标志--sslAllowInvalidCertificates
,In可以连接到我的数据库)
那么现在,我如何做到这一点: 我已使用以下代码添加SSL证书:
cp wildcart.plop.com.crt /etc/ssl/certs/wildcart.plop.com.crt
cp wildcart.plop.com.key /etc/ssl/private/wildcart.plop.com.key
cp GandiStandardSSLCA2.pem /usr/local/share/ca-certificates/gandi.net /GandiStandardSSLCA2.crt # come from https://wiki.gandi.net/en/ssl/intermediate
cat /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt > /etc/ssl/certs/mongodb.pem
rm /etc/ssl/private/wildcart.plop.com.key /etc/ssl/certs/wildcart.plop.com.crt
update-ca-certificates
c_rehash
我的mongodb是从这行开始的mongod--replSet plop--config/etc/mongodb/mongod
/etc/mongodb/mongod
内容:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/certs/mongodb.pem
CAFile: /etc/ssl/certs/GandiStandardSSLCA2.pem
allowConnectionsWithoutCertificates: true
你能帮我解决这个问题吗?我不明白为什么我的证书不可信。 你对此有什么想法吗 提前感谢你的帮助
PS:对不起,我的英语不太流利:DMongodb不使用系统的全局信任存储 SSLCA文件必须包含验证链的所有中间证书 在我的例子中,证书链如下所示:
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.plop.com
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
因此,您需要使用AddTrust外部CA根中介证书连接Gandi中介证书
cat /etc/ssl/certs/GandiStandardSSLCA2.pem /ets/ssl/certs/AddTrust_External_Root.pem > /ets/ssl/certs/GandiStandardSSLCA2_full.pem
mongo --ssl --sslCAFile /ets/ssl/certs/GandiStandardSSLCA2_full.pem --host plip.plop.com
享受Mongodb不使用系统的全局信任存储 SSLCA文件必须包含验证链的所有中间证书 在我的例子中,证书链如下所示:
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.plop.com
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
因此,您需要使用AddTrust外部CA根中介证书连接Gandi中介证书
cat /etc/ssl/certs/GandiStandardSSLCA2.pem /ets/ssl/certs/AddTrust_External_Root.pem > /ets/ssl/certs/GandiStandardSSLCA2_full.pem
mongo --ssl --sslCAFile /ets/ssl/certs/GandiStandardSSLCA2_full.pem --host plip.plop.com
享受吧情况并不完全一样。我不想用证书对客户端进行身份验证。目前,我没有为客户端使用任何密码或密钥。我只想通过ssl在mongo上进行连接。情况并不完全相同。我不想用证书对客户端进行身份验证。目前,我没有为客户端使用任何密码或密钥。我只想通过ssl连接mongo。为什么它不使用全局信任存储?为什么它不使用全局信任存储?