使用x509身份验证在docker内部运行MongoDB-Set-Set:容器启动失败,tlsMode未启用,

kt06eoxx  于 12个月前  发布在  Docker
关注(0)|答案(1)|浏览(179)

我正在尝试设置一个docker集群/复制集,其中clusterAuthentication设置为TLS。我们使用来自官方docker-hub的mongodb:7(最新)docker容器。
目前我们还停留在启动阶段(在痛苦地学习如何配置openssl自签名证书和csr之后)
启动第一个replica-set节点会立即抛出两个错误:

{"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"D1", "c":"ASSERT",   "id":23074,   "ctx":"main","msg":"User assertion","attr":{"error":"BadValue: need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters","file":"src/mongo/util/net/ssl_options_server.cpp","line":228}}

{"t":{"$date":"2023-12-13T14:39:18.314Z"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":2,"codeName":"BadValue","errmsg":"need to enable TLS via the sslMode/tlsMode flag when using TLS configuration parameters"}}}

字符串
这是或多或少相同.我不明白,为什么这个错误被抛出. tls-section是在mongod.conf中设置的,我使用哪个值也没关系.(requireTLS,allowTLS或preferTLS)
我们使用此配置:
文件mongod.conf(yaml)

storage:
  dbPath: /var/lib/mongodb
systemLog:
  verbosity: 3
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log
net:
  tls:
    clusterAuthX509:
      attributes: O=TestOrganisation, OU=TestDepartment, CN=MongoDbCluster
    mode: requireTLS
    allowInvalidCertificates: true
    certificateKeyFile: /etc/certs/server.pem
    CAFile: /etc/certs/server.crt
    clusterFile: /etc/certs/server.pem
  bindIp: 0.0.0.0,mongodb-cluster
  port: 27017
processManagement:
  timeZoneInfo: /usr/share/zoneinfo
replication:
  replSetName: rs0
security:
  authorization: enabled
  clusterAuthMode: x509


我们使用以下命令成功生成了证书:

openssl genrsa -out server.key 4096
openssl req -x509 -new -nodes -sha256 -days 1825 -config ca_req.conf -newkey rsa:4096 -keyout serverROOTCA.key -out server.crt

openssl req -new -out server.csr -key server.key -config req_ext.conf -extensions v3_req

openssl x509 -req -in server.csr -CA server.crt -CAkey serverROOTKey.key -CAcreateserial -out server.crt -days 730 -sha256 -extfile req_ext.conf -extensions v3_req


我们将此文件作为req_ext.conf用于csr和实际cert,rootCA的req_conf看起来不同。

[CA_default]
copy_extensions = copy
[req]
distinguished_name = client_ca
req_extensions = v3_req
prompt = no
[alt_names]
DNS.1 = mongodb-cluster
DNS.2 = replace_me_1
DNS.3 = replace_me_2
[client_ca]
C = SC
ST = SC
L = SampleCity
O = TestOrganisation
OU = TestDepartment
CN = MongoDbCluster
[v3_req]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth


另外,server.pem包含key和cert,以及相应的前缀开始/END key或证书。“replace_me”值是其他服务器的实际替代DNS名称。每个服务器都有自己的docker-network,稍后会在同一端口上公开mongodb示例
对于docker,我们依赖于run-scripts并传递一些env-values和文件:

docker run -d --restart always --name mongodb-cluster \
    --network traefik \
    -e MONGO_INITDB_ROOT_USERNAME=someuser \
    -e MONGO_INITDB_ROOT_PASSWORD=somepassword \
    -v $PWD/data:/var/lib/mongodb \
    -v $PWD/log/mongod.log:/var/log/mongodb/mongod.log \
    -v $PWD/conf/mongod.conf:/etc/mongod.conf \
    -v $PWD/certs/server.crt:/etc/certs/server.crt \
    -v $PWD/certs/server.pem:/etc/certs/server.pem \
    -p SOMEPORT:27017 \
    mongo:7 mongod -f /etc/mongod.conf


我们遵循以下文档使用受TLS保护的x509示例:https://www.mongodb.com/docs/manual/tutorial/configure-ssl/
我们还尝试指定--tls或--tlsMode requireTLS作为docker-run命令的启动参数,但这也会导致相同的错误。
此配置不起作用的问题可能是什么?
编辑:运行命令时root_ca的其他用途:

openssl x509 -in server.crt -noout -text -purpose

Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
Netscape SSL server : Yes
Netscape SSL server CA : Yes (WARNING code=3)
S/MIME signing : Yes
S/MIME signing CA : Yes (WARNING code=3)
S/MIME encryption : Yes
S/MIME encryption CA : Yes (WARNING code=3)
CRL signing : Yes
CRL signing CA : Yes (WARNING code=3)
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes (WARNING code=3)
Time Stamp signing : No
Time Stamp signing CA : Yes (WARNING code=3)


编辑2:命令

openssl -in server.pem -noout -ext keyUsage,extendedKeyUsage,basicConstraints


导致以下输出:

X509v3 Key Usage: 
   Key Encipherment, Data Encipherment
X509v3 Extended Key Usage: 
   TLS Web Client Authentication, TLS Web Server Authentication


对于根ca,我得到这个输出

openssl x509 -in server.crt -noout -ext keyUsage,extendedKeyUsage,basicConstraints
No extensions in certificate


以下附加ca_req.conf用于root-ca:

[req]
distinguished_name = RootCa
req_extensions = v3_req
prompt = no
[RootCa]
C = DE
ST = SC
L = SampleCity
O = TestOrganisation
OU = TestDepartment
CN = RootCa

[v3_req]
basicConstraints = CA:true, pathlen:0
keyUsage = keyCertSign
extendedKeyUsage = serverAuth

bq9c1y66

bq9c1y661#

CA输出应类似于以下内容:

X509v3 Key Usage: critical
    Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
    CA:TRUE

字符串
我这样创建我的证书:
CA证书验证文件ca.conf

[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = CH
O = Company
OU = OSS
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


证书备份文件mongo.conf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
O = Company
OU = OSS
CN = MongoDB
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost


然后使用这些命令:

# Create private key for CA:
openssl genrsa -out ca.key 4096

# Create CA certificate:
openssl req -x509 -new -noenc -extensions v3_ca -config ca.conf -key ca.key -days 7305 -sha256 -out ca.cer

# Create certificate request with explicit private key:
openssl genrsa -out mongo.key 2048
openssl req -new -noenc -key mongo.key -config mongo.conf -out mongo.csr

# Alternative: Create certificate request with automatically generated private key
openssl req -new -noenc -newkey rsa:2048 -keyout mongo.key -config mongo.conf -out mongo.csr

# Create certificate, i.e. sign the certificate request
openssl x509 -req -in mongo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -days 365 -sha512 -copy_extensions copyall -out mongo.cer


输出量:

openssl x509 -in ca.cer -noout -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints -purpose

subject=C = CH, O = Company, OU = OSS, CN = Root CA
issuer=C = CH, O = Company, OU = OSS, CN = Root CA

X509v3 Key Usage: critical
    Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
    CA:TRUE

Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes

openssl x509 -in mongo.cer -noout -purpose -subject -issuer -ext keyUsage,extendedKeyUsage,basicConstraints,subjectAltName -purpose

subject=C = CH, O = Company, OU = OSS, CN = MongoDB
issuer=C = CH, O = Company, OU = OSS, CN = Root CA

X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
    DNS:localhost

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


一旦你设法使它工作,我建议分开客户端和服务器证书。这意味着

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost


被分解以

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost


[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
# On client certificates, subjectAltName (SAN) is not used


使用openssl-ca有点不同。您可以直接创建证书,即不创建证书请求,因此使用起来更简单。另一方面,openssl-ca使用一种用于使用/生成证书的迷你数据库,这又使其更加复杂。
只是一个注意,不久前我发现了X Certificate and Key Management(或https://hohnstaedt.de/xca/index.php/download)-比从命令行使用openssl容易得多。

相关问题