使用x509身份验证在docker内部运行MongoDB-Set-Set:容器启动失败,tlsMode未启用,

kt06eoxx  于 2024-01-06  发布在  Docker
关注(0)|答案(1)|浏览(256)

我正在尝试设置一个docker集群/复制集,其中clusterAuthentication设置为TLS。我们使用来自官方docker-hub的mongodb:7(最新)docker容器。
目前我们还停留在启动阶段(在痛苦地学习如何配置openssl自签名证书和csr之后)
启动第一个replica-set节点会立即抛出两个错误:

  1. {"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"D1", "c":"ASSERT",   "id":23074,   "ctx":"main","msg":"User assertion","attr":{"error":"BadValue: need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters","file":"src/mongo/util/net/ssl_options_server.cpp","line":228}}
  3. {"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":2,"codeName":"BadValue","errmsg":"need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters"}}}

字符串
这是或多或少相同.我不明白,为什么这个错误被抛出. tls-section是在mongod.conf中设置的,我使用哪个值也没关系.(requireTLS,allowTLS或preferTLS)
我们使用此配置:
文件mongod.conf(yaml)

  1. storage:
  2.   dbPath: /var/lib/mongodb
  3. systemLog:
  4.   verbosity: 3
  5.   destination: file
  6.   logAppend: true
  7.   path: /var/log/mongodb/mongod.log
  8. net:
  9.   tls:
  10.     clusterAuthX509:
  11.       attributes: O=TestOrganisation, OU=TestDepartment, CN=MongoDbCluster
  12.     mode: requireTLS
  13.     allowInvalidCertificates: true
  14.     certificateKeyFile: /etc/certs/server.pem
  15.     CAFile: /etc/certs/server.crt
  16.     clusterFile: /etc/certs/server.pem
  17.   bindIp: 0.0.0.0,mongodb-cluster
  18.   port: 27017
  19. processManagement:
  20.   timeZoneInfo: /usr/share/zoneinfo
  21. replication:
  22.   replSetName: rs0
  23. security:
  24.   authorization: enabled
  25.   clusterAuthMode: x509


我们使用以下命令成功生成了证书:

  1. openssl genrsa -out server.key 4096
  2. openssl req -x509 -new -nodes -sha256 -days 1825 -config ca_req.conf -newkey rsa:4096 -keyout serverROOTCA.key -out server.crt
  4. openssl req -new -out server.csr -key server.key -config req_ext.conf -extensions v3_req
  6. openssl x509 -req -in server.csr -CA server.crt -CAkey serverROOTKey.key -CAcreateserial -out server.crt -days 730 -sha256 -extfile req_ext.conf -extensions v3_req


我们将此文件作为req_ext.conf用于csr和实际cert,rootCA的req_conf看起来不同。

  1. [CA_default]
  2. copy_extensions = copy
  3. [req]
  4. distinguished_name = client_ca
  5. req_extensions = v3_req
  6. prompt = no
  7. [alt_names]
  8. DNS.1 = mongodb-cluster
  9. DNS.2 = replace_me_1
  10. DNS.3 = replace_me_2
  11. [client_ca]
  12. C = SC
  13. ST = SC
  14. L = SampleCity
  15. O = TestOrganisation
  16. OU = TestDepartment
  17. CN = MongoDbCluster
  18. [v3_req]
  19. subjectAltName = @alt_names
  20. keyUsage = keyEncipherment, dataEncipherment
  21. extendedKeyUsage = clientAuth, serverAuth


另外,server.pem包含key和cert,以及相应的前缀开始/END key或证书。“replace_me”值是其他服务器的实际替代DNS名称。每个服务器都有自己的docker-network,稍后会在同一端口上公开mongodb示例
对于docker,我们依赖于run-scripts并传递一些env-values和文件:

  1. docker run -d --restart always --name mongodb-cluster \
  2.     --network traefik \
  3.     -e MONGO_INITDB_ROOT_USERNAME=someuser \
  4.     -e MONGO_INITDB_ROOT_PASSWORD=somepassword \
  5.     -v $PWD/data:/var/lib/mongodb \
  6.     -v $PWD/log/mongod.log:/var/log/mongodb/mongod.log \
  7.     -v $PWD/conf/mongod.conf:/etc/mongod.conf \
  8.     -v $PWD/certs/server.crt:/etc/certs/server.crt \
  9.     -v $PWD/certs/server.pem:/etc/certs/server.pem \
  10.     -p SOMEPORT:27017 \
  11.     mongo:7 mongod -f /etc/mongod.conf


我们遵循以下文档使用受TLS保护的x509示例:https://www.mongodb.com/docs/manual/tutorial/configure-ssl/
我们还尝试指定--tls或--tlsMode requireTLS作为docker-run命令的启动参数,但这也会导致相同的错误。
此配置不起作用的问题可能是什么?
编辑:运行命令时root_ca的其他用途:

  1. openssl x509 -in server.crt -noout -text -purpose
  3. Certificate purposes:
  4. SSL client : Yes
  5. SSL client CA : Yes (WARNING code=3)
  6. SSL server : Yes
  7. SSL server CA : Yes (WARNING code=3)
  8. Netscape SSL server : Yes
  9. Netscape SSL server CA : Yes (WARNING code=3)
  10. S/MIME signing : Yes
  11. S/MIME signing CA : Yes (WARNING code=3)
  12. S/MIME encryption : Yes
  13. S/MIME encryption CA : Yes (WARNING code=3)
  14. CRL signing : Yes
  15. CRL signing CA : Yes (WARNING code=3)
  16. Any Purpose : Yes
  17. Any Purpose CA : Yes
  18. OCSP helper : Yes
  19. OCSP helper CA : Yes (WARNING code=3)
  20. Time Stamp signing : No
  21. Time Stamp signing CA : Yes (WARNING code=3)


编辑2:命令

  1. openssl -in server.pem -noout -ext keyUsage,extendedKeyUsage,basicConstraints


导致以下输出:

  1. X509v3 Key Usage: 
  2.    Key Encipherment, Data Encipherment
  3. X509v3 Extended Key Usage: 
  4.    TLS Web Client Authentication, TLS Web Server Authentication


对于根ca,我得到这个输出

  1. openssl x509 -in server.crt -noout -ext keyUsage,extendedKeyUsage,basicConstraints
  2. No extensions in certificate


以下附加ca_req.conf用于root-ca:

  1. [req]
  2. distinguished_name = RootCa
  3. req_extensions = v3_req
  4. prompt = no
  5. [RootCa]
  6. C = DE
  7. ST = SC
  8. L = SampleCity
  9. O = TestOrganisation
  10. OU = TestDepartment
  11. CN = RootCa
  13. [v3_req]
  14. basicConstraints = CA:true, pathlen:0
  15. keyUsage = keyCertSign
  16. extendedKeyUsage = serverAuth

docker

1条答案

按热度按时间
bq9c1y66

bq9c1y661#

CA输出应类似于以下内容:

  1. X509v3 Key Usage: critical
  2.     Certificate Sign, CRL Sign
  3. X509v3 Basic Constraints: critical
  4.     CA:TRUE

字符串
我这样创建我的证书:
CA证书验证文件ca.conf

  1. [req]
  2. distinguished_name = req_distinguished_name
  3. prompt = no
  4. [req_distinguished_name]
  5. C = CH
  6. O = Company
  7. OU = OSS
  8. CN = Root CA
  9. [v3_ca]
  10. keyUsage = critical, keyCertSign, cRLSign
  11. basicConstraints = critical, CA:true
  12. subjectKeyIdentifier = hash


证书备份文件mongo.conf

  1. [req]
  2. distinguished_name = req_distinguished_name
  3. req_extensions = v3_req
  4. prompt = no
  5. [req_distinguished_name]
  6. C = CH
  7. O = Company
  8. OU = OSS
  9. CN = MongoDB
  10. [v3_req]
  11. keyUsage = critical, digitalSignature, keyEncipherment
  12. extendedKeyUsage = serverAuth, clientAuth
  13. subjectAltName = @alt_names
  14. [alt_names]
  15. DNS.1 = localhost


然后使用这些命令:

  1. # Create private key for CA:
  2. openssl genrsa -out ca.key 4096
  4. # Create CA certificate:
  5. openssl req -x509 -new -noenc -extensions v3_ca -config ca.conf -key ca.key -days 7305 -sha256 -out ca.cer
  7. # Create certificate request with explicit private key:
  8. openssl genrsa -out mongo.key 2048
  9. openssl req -new -noenc -key mongo.key -config mongo.conf -out mongo.csr
  11. # Alternative: Create certificate request with automatically generated private key
  12. openssl req -new -noenc -newkey rsa:2048 -keyout mongo.key -config mongo.conf -out mongo.csr
  14. # Create certificate, i.e. sign the certificate request
  15. openssl x509 -req -in mongo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -days 365 -sha512 -copy_extensions copyall -out mongo.cer


输出量:

  1. openssl x509 -in ca.cer -noout -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints -purpose
  3. subject=C = CH, O = Company, OU = OSS, CN = Root CA
  4. issuer=C = CH, O = Company, OU = OSS, CN = Root CA
  6. X509v3 Key Usage: critical
  7.     Certificate Sign, CRL Sign
  8. X509v3 Basic Constraints: critical
  9.     CA:TRUE
  11. Certificate purposes:
  12. SSL client : No
  13. SSL client CA : Yes
  14. SSL server : No
  15. SSL server CA : Yes
  16. Netscape SSL server : No
  17. Netscape SSL server CA : Yes
  18. S/MIME signing : No
  19. S/MIME signing CA : Yes
  20. S/MIME encryption : No
  21. S/MIME encryption CA : Yes
  22. CRL signing : Yes
  23. CRL signing CA : Yes
  24. Any Purpose : Yes
  25. Any Purpose CA : Yes
  26. OCSP helper : Yes
  27. OCSP helper CA : Yes
  28. Time Stamp signing : No
  29. Time Stamp signing CA : Yes
  31. openssl x509 -in mongo.cer -noout -purpose -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints,subjectAltName -purpose
  33. subject=C = CH, O = Company, OU = OSS, CN = MongoDB
  34. issuer=C = CH, O = Company, OU = OSS, CN = Root CA
  36. X509v3 Key Usage: critical
  37.     Digital Signature, Key Encipherment
  38. X509v3 Extended Key Usage:
  39.     TLS Web Server Authentication, TLS Web Client Authentication
  40. X509v3 Subject Alternative Name:
  41.     DNS:localhost
  43. Certificate purposes:
  44. SSL client : Yes
  45. SSL client CA : No
  46. SSL server : Yes
  47. SSL server CA : No
  48. Netscape SSL server : Yes
  49. Netscape SSL server CA : No
  50. S/MIME signing : No
  51. S/MIME signing CA : No
  52. S/MIME encryption : No
  53. S/MIME encryption CA : No
  54. CRL signing : No
  55. CRL signing CA : No
  56. Any Purpose : Yes
  57. Any Purpose CA : Yes
  58. OCSP helper : Yes
  59. OCSP helper CA : No
  60. Time Stamp signing : No
  61. Time Stamp signing CA : No


一旦你设法使它工作,我建议分开客户端和服务器证书。这意味着

  1. [v3_req]
  2. keyUsage = critical, digitalSignature, keyEncipherment
  3. extendedKeyUsage = serverAuth, clientAuth
  4. subjectAltName = @alt_names
  5. [alt_names]
  6. DNS.1 = localhost


被分解以

  1. [v3_req]
  2. keyUsage = critical, digitalSignature, keyEncipherment
  3. extendedKeyUsage = serverAuth
  4. subjectAltName = @alt_names
  5. [alt_names]
  6. DNS.1 = localhost


  1. [v3_req]
  2. keyUsage = critical, digitalSignature, keyEncipherment
  3. extendedKeyUsage = clientAuth
  4. # On client certificates, subjectAltName (SAN) is not used


使用openssl-ca有点不同。您可以直接创建证书,即不创建证书请求,因此使用起来更简单。另一方面,openssl-ca使用一种用于使用/生成证书的迷你数据库,这又使其更加复杂。
只是一个注意,不久前我发现了X Certificate and Key Management(或https://hohnstaedt.de/xca/index.php/download)-比从命令行使用openssl容易得多。

展开查看全部
赞(0)分享  回复(0)举报  2024-01-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com