If you have mongoDB as your database and you query on DB from an external network, make sure you have SSL in place. By not using SSL everyone can evesdrop on the network data which is transmitted in between.

Read the below article to set SSL on server side:

- https://docs.mongodb.com/manual/tutorial/configure-ssl/

Now in order to set SSL=True in mongo python driver head over to link below to read more on:

- http://api.mongodb.com/python/current/examples/tls.html

#mongodb #ssl #tls #pymongo

A couple days ago we talked about MongoDB that uses TLS/SSL to encrypt the communication with clients connecting to it (like pyMongo). Now if you want to test MongoDB with self-signed certificate you can generate one with the command below:

cd /etc/ssl/
 openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

This operation generates a new, self-signed certificate with no passphrase that is valid for 365 days. Once you have the certificate, concatenate the certificate and private key to a .pem file, as in the following example:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

If using the YAML configuration file format, include the following configuration in the file:

net:
    ssl:
       mode: requireSSL
       PEMKeyFile: /etc/ssl/mongodb.pem

NOTE: instead of requireSSL you can use preferSSL to not force the requirement. It depends on the requirements and network topolgy.


#mongodb #ssl #tls #pem #openssl

Now to make you MongoDB client connection secure just pass ssl=True:

# test_mongodb_ssl.py
 client = pymongo.MongoClient('example.com', ssl=True)

When you run this script check your mongoDB logs (usually in /var/log/mongodb/mongod.log`). The thing you should take into account is that when you pass `ssl=True parameter to MongoClient you just should see the below log (ip addresses wil vary):

I NETWORK  [listener] connection accepted from 172.15.141.162:50761 #49 (39 connections now open)
 I NETWORK  [conn49] end connection 172.15.141.162:50761 (38 connections now open)

Now remove ssl=True from MongoClient or pass ssl=False. If you now run your test script, you would see something like below in mongod.log:

I NETWORK  [listener] connection accepted from 172.15.141.162:50762 #50 (39 connections now open)
 I NETWORK  [conn50] SSL mode is set to 'preferred' and connection 50 to 172.15.141.162:50762 is not using SSL.

It says that SSL mode in mongo config is set to preferSSL and your new connection to mongo is not using it.

YOU NEED TO BE CAUTIOUS that we have created our SSL ourselves and it is vulnerable to man in the middle attack. For production usage purchase you SSL/TLS certifcate.

#mongodb #mongo #ssl #pymongo

https://medium.com/mongoaudit/how-to-enable-tls-ssl-on-mongodb-d973a92cefa6

#database #mongodb #mongo #tls #ssl #lets_encrypt

https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

#ssl #web #lets_encrypt #free_ssl #dehydrated

If you have followed our MongoDB SSL configuration, you should by now know that we can generate SSL certificate using lets encrypt. I have used dehydrated that fully matches with cloud flare.

To make the procedure automatic I have created a sample shell script that after automatic renewal will also renew the PEM files for MongoDB

#! /bin/bash

echo 'Binding new mongo private key PEM file and Cert PEM file...'
cat /etc/dehydrated/certs/mongo.example.com/privkey.pem /etc/dehydrated/certs/mongo.example.com/cert.pem > /etc/ssl/mongo.pem
echo 'Saved the new file in /etc/ssl/mongo.pem'

sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
echo 'truncate ca.pem file and generate a new in /etc/ssl/ca.pem...'
sudo truncate -s 0 /etc/ssl/ca.pem
echo 'generate a ca.pem file using opessl by input -> /etc/ssl/ca.crt'
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
echo 'ca.pem is generated successfully in /etc/ssl'

echo 'append the chain.pem content to newly created ca.pem in /etc/ssl/ca.pem'
sudo cat /etc/dehydrated/certs/mongo.example.com/chain.pem >> /etc/ssl/ca.pem
echo 'done!'

#mongodb #mongo #ssl #pem #openssl #lets_encrypt

In order to verify that you certificate is generated successfully in openssl:

openssl verify -verbose -CAfile /etc/ssl/ca.pem /etc/ssl/mongo.pem

#openssl #verify #pem #ca #mongodb #ssl

https://gist.github.com/kevinadi/96090f6f9973ff8c2d019bbe0d9a0f70

#mongodb #ssl #self_signed

Create and assin a self-signed certificate with the bash script below:

- https://gist.github.com/alirezastack/30c8849e4add4329dcc2633fbb06a638

#mongodb #ssl #self_signed

How to add self-signed certificates to replica set nodes?

https://medium.com/@rossbulat/deploy-a-3-node-mongodb-3-6-replica-set-with-x-509-authentication-self-signed-certificates-d539fda94db4

#mongo #mongodb #ssl #self_signed #openssl