Setup mongodb TSL/SSL with letsencrypt.

Mongodb_Letsencrypt.md

Setup Mongo 3.6 TSL/SSL with Letsencrypt

Install certbot

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Get Letsencrypt certificate

sudo certbot certonly --standalone -d [domain]

Letsencrypt will create the following certs under /etc/letsencrypt/live/[domain]:

• cert.pem
• chain.pem
• fullchain.pem
• privkey.pem

Prepare certs for mongodb

cd /etc/letsencrypt/live/[domain]
cat privkey.pem fullchain.pem > /etc/ssl/mongod.pem

Download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html

Copy the cert to /etc/ssl/ca.crt and wrap it with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Generate ca.pem

printf "\n" >> ca.crt
cat /etc/letsencrypt/live/[domain]/chain.pem >> /etc/ssl/ca.crt
openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
openssl verify -CAfile /etc/ssl/ca.pem /etc/ssl/mongod.pem
> mongod.pem: OK (you should see this)

Set permission

chmod 600 /etc/ssl/ca.pem
chmod 600 /etc/ssl/mongod.pem
chown -R mongodb:mongodb /etc/ssl/ca.pem
chown -R mongodb:mongodb /etc/ssl/mongod.pem

Edit mongod.conf

net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: requireSSL # 'disabled', 'allowSSL', 'preferSSL', 'requireSSL'
    PEMKeyFile: /etc/ssl/mongod.pem
    CAFile: /etc/ssl/ca.pem
    allowConnectionsWithoutCertificates: false

Connect to mongodb with SSL

mongo [domain]/[db] -u username -p password --ssl --sslPEMKeyFile /etc/ssl/mongod.pem --sslCAFile /etc/ssl/ca.pem

Renew certificates

(Before expiry date, 90 days)

sudo certbot renew

@GrantGochnauer have you been able to find a fix ? I am hitting the same issue

@GrantGochnauer have you been able to find a fix ? I am hitting the same issue

I was not able to get it to work on Mongo 3.6 - I think it's just too old to accept let's encrypt certs. What I tried was:

# Download Root Cert:
wget https://letsencrypt.org/certs/isrgrootx1.pem

# Download Intermediate Cert:
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

# Concat intermediate CAs
cat isrgrootx1.pem lets-encrypt-r3.pem > ca.pem

# Verify
openssl verify -CAfile ca.pem letsencrypt.pem

sudo certbot renew --dry-run -v

My post hook for letsencrypt:

#!/bin/bash

# Set the source and destination paths
src_path="/etc/letsencrypt/live/myserver.net"
dst_path="/etc/letsencrypt"

# Copy the certificates
cat "${src_path}/privkey.pem" "${src_path}/fullchain.pem" > "${dst_path}/letsencrypt.pem"

# Set appropriate permissions on the destination files (optional)
chmod 644 "${dst_path}/letsencrypt.pem"

We've moved to another database system so we never had the need to come back and solve this. This does work with MongoDB 4.2+

Awesome work @GrantGochnauer. It's working.

Did you automate the renewal of the root certificate ?

Or you do it manually ?

That worked for you? Awesome! I did not automate the renewal of the root cert. I don't remember when it expires but I think it was a number of years in the future.

Yes it did thanks!
I cam automate that but when the certificate expires will they upload a new one to the link above?

Sorry my knowledge on certificates is very limited

Based on the commands above, it just does the dry run. You need to actually have the certbot install the scheduled process.

There are lots of options you can see in the docs but a simple example:

sudo certbot renew --deploy-hook "/etc/letsencrypt/copy_certs.sh"