sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo certbot certonly --standalone -d [domain]
Letsencrypt will create the following certs under /etc/letsencrypt/live/[domain]:
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
cd /etc/letsencrypt/live/[domain]
cat privkey.pem fullchain.pem > /etc/ssl/mongod.pem
Download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html
Copy the cert to /etc/ssl/ca.crt
and wrap it with -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
.
Generate ca.pem
printf "\n" >> ca.crt
cat /etc/letsencrypt/live/[domain]/chain.pem >> /etc/ssl/ca.crt
openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
openssl verify -CAfile /etc/ssl/ca.pem /etc/ssl/mongod.pem
> mongod.pem: OK (you should see this)
Set permission
chmod 600 /etc/ssl/ca.pem
chmod 600 /etc/ssl/mongod.pem
chown -R mongodb:mongodb /etc/ssl/ca.pem
chown -R mongodb:mongodb /etc/ssl/mongod.pem
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL # 'disabled', 'allowSSL', 'preferSSL', 'requireSSL'
PEMKeyFile: /etc/ssl/mongod.pem
CAFile: /etc/ssl/ca.pem
allowConnectionsWithoutCertificates: false
mongo [domain]/[db] -u username -p password --ssl --sslPEMKeyFile /etc/ssl/mongod.pem --sslCAFile /etc/ssl/ca.pem
(Before expiry date, 90 days)
sudo certbot renew
I have been trying to get this to work but I'm not sure which file I'm supported to grab from the comment linked above. I have tried both "DST Root CA X3 Cross-Signing with IdenTrust Commercial CA 1 Chain Details" and "DST Root CA X3-IdenTrust Commercial CA 1 Chain Download". but when I try to verify the cert, I get the following error:
[root@prd04 letsencrypt]# openssl verify -CAfile cab.pem letsencrypt.pem letsencrypt.pem: CN = prd04 error 20 at 0 depth lookup:unable to get local issuer certificate
I have also tried to use the p7b file and convert to pem but I can't seem to get that to work either. A few of my attempts have resulted in Mongo trying to connect to the other nodes with a Handshake "short read" error.
I have also tried using these CA pem files directly from Let's Encrypt: https://letsencrypt.org/certificates/. I should also note that this is running on CentOS7.
Any ideas @nalbyuites or @j0e1in? Thanks