How to setup MongoDB with SSL
Hosted MongoDB solutions typically include an SSL certificate, so when you are rolling your own, you’ll want to set up SSL. Hosted databases aren’t for everyone, fortunately security is just one tutorial away.
In this example, the primary is already set up on
db.example.com, so that is the domain this tutorial will use to demonstrate the certificate renewal process.
LetsEncrypt requires your server to respond to a challenge in order to fulfill a certificate request, so we’ll need a web server to answer their challenge.
sudo add-apt-repository ppa:nginx/stable sudo apt-get update sudo apt install nginx
At this point, navigating to
db.example.com will result in the demo page for Nginx. Nothing further is really required to set up Nginx.
Next, install Certbot, the official tool that fully automate setup and of course renewal of LetsEncrypt certificates.
sudo add-apt-repository ppa:certbot/certbot sudo apt update sudo apt install software-properties-common python-certbot-nginx
Create the certificate for this host:
certbot --nginx -d db.example.com
Set up a bash script that will concatenate your NGINX certificates together to create your MongoDB server certificate.
cd ~ nano renew-mongo-cert.sh
This will be the script contents:
#!/bin/bash DOMAIN=db.example.com newestFull=$(ls -v /etc/letsencrypt/archive/$DOMAIN/fullchain*.pem | tail -n 1) newestPriv=$(ls -v /etc/letsencrypt/archive/$DOMAIN/privkey*.pem | tail -n 1) cat $newestFull $newestPriv > /etc/ssl/mongo.pem service mongod restart
Make it executable:
chmod +x renew-mongo-cert.sh
Enable SSL in the mongo server configuration in
/etc/mongod.conf by adding this under the
tls: mode: requireTLS certificateKeyFile: /etc/ssl/mongo.pem
Run the script for the first time:
Set the file permissions for the outputted pem file. This is only needed one time.
chmod 600 /etc/ssl/mongo.pem chown mongodb:mongodb /etc/ssl/mongo.pem
Add the script as a cron job with
0 0 1 * * /root/renew-mongo-cert.sh
Reboot, and now you can connect through SSL. Note that the URL now contains the