个人中心
gpt4 book ai didi

MongoDB 集群升级以使用 SSL/TLS 失败

转载 作者:行者123 更新时间:2023-12-04 22:41:39 25 4
gpt4 key购买 nike

我复制了 MongoDB 集群副本集,并在下面的链接中添加了使用非 SSL 的管理员之类的用户。

  • 链接: https://github.com/arun2pratap/mongodbClusterForWindowsOneClick
  • 环境:
  • 操作系统:Windows 2019 服务器(在一台 Windows 服务器中设置所有实例)
  • 1个mongos(端口:26000)
  • 2 个分片( 端口 :sh01:27011 ~ 27013/sh02:27021 ~ 27023)
  • 1 配置服务器( 端口 : csrs : 26001 ~ 26003)


    • 在使用非 SSL 重现集群后,我尝试按照 MongoDB 手册 4.5 和其他链接升级集群以使用 SSL,但我找不到明确的答案或指南。
    以下是我的引用链接。
  • https://www.mongodb.com/docs/v4.4/tutorial/upgrade-cluster-to-ssl/
  • https://www.mongodb.com/docs/v4.4/tutorial/deploy-replica-set-with-keyfile-access-control/
  • https://www.mongodb.com/community/forums/t/cannot-start-mongodb-service-after-configuring-tls/2802
  • MongoDB Shell connection errors using test self signed certificates
  • https://www.mongodb.com/community/forums/t/creating-openssl-server-certificates-for-testing-failed/109058

    • 我刚刚按照手册、指南和启动配置了 sh011.conf 之类的 conf 文件。但服务器似乎只启动了 csrs 实例。因为,我找不到其他实例的端口号。
    1. sh011.conf 
    sharding:
      clusterRole: shardsvr
    replication:
      replSetName: sh01
    net:
      bindIpAll: true
      port: 27011
      tls:
        mode: requireTLS
        certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
        CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
    systemLog:
      destination: file
      path: sh01/sh011/log/sh011.log
      logAppend: true
    storage:
      dbPath: sh01/sh011/db/
    2. mongos.conf 
    sharding:
      configDB: csrs/WIN-BKEV4AO0KED:26001,WIN-BKEV4AO0KED:26002,WIN-BKEV4AO0KED:26003
    net:
      bindIpAll: true
      port: 26000
      tls:
        mode: requireTLS
        certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
        CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
    systemLog:
      destination: file
      path: router/log/mongos.log
      logAppend: true
    security:
      authorization: enabled
      clusterAuthMode: x509
    3. "netstat -an"输出 
    C:\database\MongoDB\Server\4.4\bin>netstat -an

    Active Connections

      Proto  Local Address          Foreign Address        State
      TCP    0.0.0.0:22             0.0.0.0:0              LISTENING
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:5432           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
      TCP    0.0.0.0:26001          0.0.0.0:0              LISTENING
      TCP    0.0.0.0:26002          0.0.0.0:0              LISTENING
      TCP    0.0.0.0:26003          0.0.0.0:0              LISTENING
      TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING

    当我检查日志文件时,每个分片节点都发生如下 SSL 错误 
    {"t":{"$date":"2022-05-09T14:34:54.933+09:00"},"s":"I",  "c":"NETWORK",  "id":4712102, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"Host failed in replica set","attr":{"replicaSet":"csrs","host":"WIN-BKEV4AO0KED:26001","error":{"code":6,"codeName":"HostUnreachable","errmsg":"Error connecting to WIN-BKEV4AO0KED:26001 (192.168.100.202:26001) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified."},"action":{"dropConnections":true,"requestImmediateCheck":false,"outcome":{"host":":26001","success":false}}}}
    {"t":{"$date":"2022-05-09T14:34:55.164+09:00"},"s":"I",  "c":"-",        "id":4333222, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM received failed isMaster","attr":{"host":"WIN-BKEV4AO0KED:26003","error":"HostUnreachable: Error connecting to WIN-BKEV4AO0KED:26003 (192.168.100.202:26003) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified.","replicaSet":"csrs","isMasterReply":"{}"}}
    我想,这个问题的原因是相关的主机名,所以我配置了主机文件。
    然后,按照手册重新创建 CA、Server、Client 的认证文件。
    1.openssl-test-server.conf 
    [ alt_names ]
    DNS.1 = WIN-BKEV4AO0KED
    IP.1 = 192.168.100.202

    [ req_dn ]
    countryName = Country Name (2 letter code)
    countryName_default = AA
    countryName_min = 2
    countryName_max = 2

    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = City
    stateOrProvinceName_max = 64

    localityName = Locality Name (eg, city)
    localityName_default = City
    localityName_max = 64

    organizationName = Organization Name (eg, company)
    organizationName_default = DevCompany
    organizationName_max = 64

    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = Dev
    organizationalUnitName_max = 64

    commonName = Common Name (eg, YOUR name)
    commonName_default = WIN-BKEV4AO0KED
    commonName_max = 64
    但是,仍然没有启动 mongos 和其他实例。
    最后,我认为某些配置是错误的。我想知道我对 SSL 的遗漏或错误。

    最佳答案

    最后,我找到了问题的原因以及如何使用 SSL 我自己启动 MongoDB 集群。
    第一,根本原因是我无法启动 mongos 之类的 MongoDB 实例,启用 SSL 的 mongod 并且在启动时错过了一些参数,如下所示:

  • 在启动命令之前

    $ mongod -f csrs1.conf


  • 修改启动命令

    $ mongod -f csrs1.conf --tlsMode requireTLS --tlsCertificateKeyFile test-server1.pem --tlsCAFile test-ca.pem



    • 备注 :我没有将MongoDB设置为服务,只是通过提示进行控制
    当我根据默认设置生成认证并使用新命令启动每个 MongoDB 时,一切正常。
    为了方便起见,我尝试修改 START.bat 文件,例如上面的新命令。
    但是,那行不通。因此,我为每个节点打开了提示符并手动执行了启动命令。
    我希望这些信息会有所帮助。

    关于MongoDB 集群升级以使用 SSL/TLS 失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72168403/

    25 4 0
    文章推荐: java - 无法找到请求的目标 Jmeter 的有效认证路径
    文章推荐: SQL Server 2008 查询 - 查找不同表中两个不同列中不存在的电子邮件
    文章推荐: sql - 使用 TABLOCK、XLOCK 命令在 Microsoft SQL Server 2008 上出现间歇性死锁
    文章推荐: python - 如何在没有客户端 SSL 证书的情况下在 python gRPC 客户端中打开安全通道
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com