sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo certbot certonly --standalone -d [domain]
Letsencrypt will create the following certs under /etc/letsencrypt/live/[domain]:
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
cd /etc/letsencrypt/live/[domain]
cat privkey.pem fullchain.pem > /etc/ssl/mongod.pem
Download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html
Copy the cert to /etc/ssl/ca.crt
and wrap it with -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
.
Generate ca.pem
printf "\n" >> ca.crt
cat /etc/letsencrypt/live/[domain]/chain.pem >> /etc/ssl/ca.crt
openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
openssl verify -CAfile /etc/ssl/ca.pem /etc/ssl/mongod.pem
> mongod.pem: OK (you should see this)
Set permission
chmod 600 /etc/ssl/ca.pem
chmod 600 /etc/ssl/mongod.pem
chown -R mongodb:mongodb /etc/ssl/ca.pem
chown -R mongodb:mongodb /etc/ssl/mongod.pem
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL # 'disabled', 'allowSSL', 'preferSSL', 'requireSSL'
PEMKeyFile: /etc/ssl/mongod.pem
CAFile: /etc/ssl/ca.pem
allowConnectionsWithoutCertificates: false
mongo [domain]/[db] -u username -p password --ssl --sslPEMKeyFile /etc/ssl/mongod.pem --sslCAFile /etc/ssl/ca.pem
(Before expiry date, 90 days)
sudo certbot renew
Based on the commands above, it just does the dry run. You need to actually have the certbot install the scheduled process.
There are lots of options you can see in the docs but a simple example: