Forked from leommoore/mongodb_ssl_with_letsencrypt.md
Last active
October 7, 2016 09:46
-
-
Save MarsVard/36e011c25a1639bbec9b3d6b33876f23 to your computer and use it in GitHub Desktop.
Revisions
-
MarsVard revised this gist
Oct 7, 2016 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -79,15 +79,15 @@ Then you need to download IdenTrust DST Root CA X3 from https://www.identrust.co Save it to a file named ```ca.crt``` adding ```-----BEGIN CERTIFICATE-----``` and ```-----END CERTIFICATE-----``` lines. Then convert the crt file to a pem using: openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM Then run: printf "\n" >> ca.crt cat /etc/letsencrypt/live/mongo0.example.com/chain.pem >> /etc/ssl/ca.crt Just to make sure that everything is setup correctly run: openssl verify -CAfile /etc/ssl/ca.pem /etc/letsencrypt/live/mongo0.example.com/mongodb.pem -
leommoore revised this gist
Sep 12, 2016 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -98,7 +98,8 @@ You should get: ##ca.pem ``` -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -
Sep 12, 2016 . 1 changed file with 51 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -95,6 +95,57 @@ Just to make sure that everything is setup correctly run: You should get: mongodb.pem: OK ##ca.pem ```-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- ``` #Setup the Certs folder -
Sep 10, 2016 . 1 changed file with 12 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -73,7 +73,7 @@ Letsencrypt will create the following certs: The first thing is to combine the privkey and cert into a single file ```mongodb.pem```. cd /etc/letsencrypt/live/mongo0.example.com cat privkey.pem cert.pem > /etc/ssl/mongodb.pem Then you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html @@ -82,28 +82,26 @@ Save it to a file named ```ca.crt``` adding ```-----BEGIN CERTIFICATE-----``` an Then run: printf "\n" >> ca.crt cat /etc/letsencrypt/live/mongo0.example.com/chain.pem >> /etc/ssl/ca.crt Then convert the crt file to a pem using: openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM Just to make sure that everything is setup correctly run: openssl verify -CAfile /etc/ssl/ca.pem /etc/letsencrypt/live/mongo0.example.com/mongodb.pem You should get: mongodb.pem: OK #Setup the Certs folder chmod 600 /etc/ssl/ca.pem chmod 600 /etc/ssl/mongodb.pem chown -R mongodb:mongodb /etc/ssl/ca.pem chown -R mongodb:mongodb /etc/ssl/mongodb.pem ##Configure MongoDB Edit the ```mongod.conf```: @@ -117,9 +115,9 @@ Specify the SSL locations. You may to specify a PEMKeyPassword if you got the ce port: 27017 ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem PEMKeyPassword: CAFile: /etc/ssl/ca.pem Restart MongoDB to make sure it is using the new settings: @@ -133,7 +131,7 @@ Try to connect. This should fail as it is now using a SSL connection is now requ mongo MongoDB shell version: 3.2.7 connecting to: test 2016-03-08T11:04:26.853+0000 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' : connect@src/mongo/shell/mongo.js:224:14 @@ -143,7 +141,7 @@ Try to connect. This should fail as it is now using a SSL connection is now requ Then log into the shell using ssl: mongo --ssl -sslCAFile /etc/ssl/ca.pem --host mongo0.example.com --sslPEMKeyFile /etc/ssl/mongodb.pem From inside the shell you can check that ssl is running: -
Sep 10, 2016 . 1 changed file with 13 additions and 59 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,79 +35,33 @@ To optain the SSL certificate you will need to ensure that your server is access To install the client, clone the repostiory from github. ``` sudo apt-get -y install git sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt cd /opt/letsencrypt ``` ###Request the Certificate This process has got a lot easier over the last while. ``` ./letsencrypt-auto certonly -d mongo0.example.com ``` You will be asked of you want letsencrypt to look for an entry in your web server.Presumable if this is just a database server then you will not need to install a web server like apache or nginx. In this case select verification option 2 Stand-alone Server. This should locate the file and create the certificates. If you want to verify on a server with a web server you need to add the following to your default web site server block. ``` location ~ /.well-known { allow all; } ``` Remember to restart your web server. ``` sudo systemctl reload nginx ``` ##Preparing the Letsencrypt cert for use with MongoDB Letsencrypt will create the following certs: -
Jun 9, 2016 . 1 changed file with 6 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -130,18 +130,17 @@ Then run: printf "\n" >> ca.crt cat /etc/letsencrypt/live/mongo0.example.com/chain.pem >> ca.crt Then convert the crt file to a pem using: openssl x509 -in ca.crt -out ca.pem -outform PEM Just to make sure that everything is setup correctly run: openssl verify -CAfile ca.pem /etc/letsencrypt/live/mongo0.example.com/mongodb.pem You should get: mongodb.pem: OK #Setup the Certs folder -
Jun 9, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -123,7 +123,7 @@ The first thing is to combine the privkey and cert into a single file ```mongodb Then you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html Save it to a file named ```ca.crt``` adding ```-----BEGIN CERTIFICATE-----``` and ```-----END CERTIFICATE-----``` lines. Then run: -
Jun 9, 2016 . 1 changed file with 22 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -121,26 +121,35 @@ The first thing is to combine the privkey and cert into a single file ```mongodb cd /etc/letsencrypt/live/mongo0.example.com cat privkey.pem cert.pem > mongodb.pem Then you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html Save it to a file named ca.crt adding -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Then run: printf "\n" >> ca.crt cat /etc/letsencrypt/live/mongo0.example.com/chain.pem >> ca.crt Just to make sure that everything is setup correctly run: openssl verify -CAfile ca.crt /etc/letsencrypt/live/mongo0.example.com/mongodb.pem You should get: cert.pem: OK Then convert the crt file to a pem using: openssl x509 -in ca.crt -out ca.pem -outform PEM #Setup the Certs folder mkdir /home/certs cp mongodb.pem /home/certs cp ca.pem /home/certs chown -R mongodb:mongodb /home/certs chmod 777 ca.pem chmod 777 mongodb ##Configure MongoDB @@ -157,7 +166,7 @@ Specify the SSL locations. You may to specify a PEMKeyPassword if you got the ce mode: requireSSL PEMKeyFile: /home/certs/mongodb.pem PEMKeyPassword: CAFile: /home/certs/ca.pem Restart MongoDB to make sure it is using the new settings: @@ -181,7 +190,7 @@ Try to connect. This should fail as it is now using a SSL connection is now requ Then log into the shell using ssl: mongo --ssl -sslCAFile /certs/ca.pem --host mongo0.example.com --sslPEMKeyFile /certs/mongodb.pem From inside the shell you can check that ssl is running: -
Jun 8, 2016 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -126,6 +126,10 @@ The next thing is to download the CA authority files from the letsencrypt.org we wget https://letsencrypt.org/certs/isrgrootx3.pem wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem and combine them into a single file ```letsencryptchain.pem```. Mongo requires the certs to be combined. cat letsencryptauthorityx3.pem isrgrootx3.pem > letsencryptchain.pem -
May 3, 2016 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -123,12 +123,12 @@ The first thing is to combine the privkey and cert into a single file ```mongodb The next thing is to download the CA authority files from the letsencrypt.org web site: wget https://letsencrypt.org/certs/isrgrootx3.pem wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem and combine them into a single file ```letsencryptchain.pem```. Mongo requires the certs to be combined. cat letsencryptauthorityx3.pem isrgrootx3.pem > letsencryptchain.pem #Setup the Certs folder -
Apr 3, 2016 . 1 changed file with 1 addition and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -126,7 +126,7 @@ The next thing is to download the CA authority files from the letsencrypt.org we wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx1.pem and combine them into a single file ```letsencryptchain.pem```. Mongo requires the certs to be combined. cat letsencryptauthorityx1.pem isrgrootx1.pem > letsencryptchain.pem @@ -187,8 +187,3 @@ From inside the shell you can check that ssl is running: "SSLServerHasCertificateAuthority" : true, "SSLServerCertificateExpirationDate" : ISODate("2016-07-06T12:09:00Z") } -
Apr 3, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -123,7 +123,7 @@ The first thing is to combine the privkey and cert into a single file ```mongodb The next thing is to download the CA authority files from the letsencrypt.org web site: wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx1.pem and combine them into a single file ```letsencryptchain.pem``` -
Mar 10, 2016 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -120,11 +120,11 @@ The first thing is to combine the privkey and cert into a single file ```mongodb cd /etc/letsencrypt/live/mongo0.example.com cat privkey.pem cert.pem > mongodb.pem The next thing is to download the CA authority files from the letsencrypt.org web site: wget https://letsencrypt.org/certs/isrgrootx1.pem">isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx1.pem and combine them into a single file ```letsencryptchain.pem``` -
Mar 10, 2016 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -136,7 +136,8 @@ and combine them into a single file ```letsencryptchain.pem``` cp mongodb.pem /home/certs cp letsencryptchain.pem /home/certs chown -R mongodb:mongodb /home/certs chmod 777 letsencryptchain.pem chmod 777 mongodb ##Configure MongoDB Edit the ```mongod.conf```: -
Mar 10, 2016 . 1 changed file with 13 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -118,18 +118,26 @@ Letsencrypt will create the following certs: The first thing is to combine the privkey and cert into a single file ```mongodb.pem```. cd /etc/letsencrypt/live/mongo0.example.com cat privkey.pem cert.pem > mongodb.pem The next thing is to download the CA authority files from the letsencrypt.org web site: wget https://letsencrypt.org/certs/isrgrootx1.pem">isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx1.pem and combine them into a single file ```letsencryptchain.pem``` cat letsencryptauthorityx1.pem isrgrootx1.pem > letsencryptchain.pem #Setup the Certs folder mkdir /home/certs cp mongodb.pem /home/certs cp letsencryptchain.pem /home/certs chown -R mongodb:mongodb /home/certs ##Configure MongoDB Edit the ```mongod.conf```: @@ -142,9 +150,9 @@ Specify the SSL locations. You may to specify a PEMKeyPassword if you got the ce port: 27017 ssl: mode: requireSSL PEMKeyFile: /home/certs/mongodb.pem PEMKeyPassword: CAFile: /home/certs/letsencryptchain.pem Restart MongoDB to make sure it is using the new settings: -
Mar 10, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -90,7 +90,7 @@ The correct response will look like: ``` IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to support@example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mongo0.example.com/fullchain.pem. Your cert will expire on 2016-06-08. To obtain a new version of the -
Mar 10, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -92,7 +92,7 @@ IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected]. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mongo0.example.com/fullchain.pem. Your cert will expire on 2016-06-08. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt -
Mar 10, 2016 . 1 changed file with 11 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,11 +89,18 @@ The correct response will look like: ``` IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected]. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/recdat001.recinal.com/fullchain.pem. Your cert will expire on 2016-06-08. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le -
Mar 8, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -115,8 +115,8 @@ The first thing is to combine the privkey and cert into a single file ```mongodb The next thing is to download the CA authority files from the letsencrypt.org web site: * <a href="https://letsencrypt.org/certs/isrgrootx1.pem">isrgrootx1.pem</a> * <a href="https://letsencrypt.org/certs/letsencryptauthorityx1.pem">letsencryptauthorityx1.pem</a> and combine them into a single file ```letsencryptchain.pem``` -
Mar 8, 2016 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -115,8 +115,9 @@ The first thing is to combine the privkey and cert into a single file ```mongodb The next thing is to download the CA authority files from the letsencrypt.org web site: <a href="https://letsencrypt.org/certs/isrgrootx1.pem">isrgrootx1.pem</a> <a href="https://letsencrypt.org/certs/letsencryptauthorityx1.pem">letsencryptauthorityx1.pem</a> and combine them into a single file ```letsencryptchain.pem``` -
Mar 8, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ Set the hostname in the file to: mongo0.example.com ##Modify the hosts file Modify the hosts file. If you are using a replica set then, obviously on mongo1 the 127.0.0.1 will point at localhost mongo1.example.com. For more information on setting up a replica set see <a href="https://gist.github.com/leommoore/309de7c0042ed697ee84">Setting up a Replica Set on AWS EC2</a>. sudo nano /etc/hosts -
Mar 8, 2016 . 1 changed file with 45 additions and 24 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -109,7 +109,7 @@ Letsencrypt will create the following certs: * fullchain.pem * privkey.pem The first thing is to combine the privkey and cert into a single file ```mongodb.pem```. cat privkey.pem cert.pem > mongodb.pem @@ -118,37 +118,58 @@ The next thing is to download the CA authority files from the letsencrypt.org we https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/letsencryptauthorityx1.pem and combine them into a single file ```letsencryptchain.pem``` cat letsencryptauthorityx1.pem isrgrootx1.pem > letsencryptchain.pem ##Configure MongoDB Edit the ```mongod.conf```: sudo nano /etc/mongod.conf Specify the SSL locations. You may to specify a PEMKeyPassword if you got the cert from an different source than letsencrypt. # network interfaces net: port: 27017 ssl: mode: requireSSL PEMKeyFile: /certs/mongodb.pem PEMKeyPassword: CAFile: /certs/letsencryptchain.pem Restart MongoDB to make sure it is using the new settings: sudo service mongod restart Check that is is running: tail -20 /var/log/mongodb/mongod.log Try to connect. This should fail as it is now using a SSL connection is now required. mongo MongoDB shell version: 3.2.3 connecting to: test 2016-03-08T11:04:26.853+0000 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' : connect@src/mongo/shell/mongo.js:224:14 @(connect):1:6 exception: connect failed Then log into the shell using ssl: mongo --ssl -sslCAFile /certs/letsencryptchain.pem --host mongo0.example.com --sslPEMKeyFile /certs/mongodb.pem From inside the shell you can check that ssl is running: db.serverStatus().security { "SSLServerSubjectName" : "CN=mongo0.example.com", "SSLServerHasCertificateAuthority" : true, "SSLServerCertificateExpirationDate" : ISODate("2016-07-06T12:09:00Z") } -
Mar 8, 2016 . 1 changed file with 60 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -69,7 +69,7 @@ Press ENTER to continue ``` <strong>Note: Do not click ENTER as it will try to find the verification file and we have not set it up yet.</strong> ###Setting up the Verification File Since the mongo server is unlikely to have a web server like Apache or Nginx you should use the do the following to create the verification file and spin up a temporary web server. In a new terminal session: @@ -85,22 +85,72 @@ In a new terminal session: Once this temporary server is running you can go back to the original terminal server session and click RETURN. It will then look for the file at the location specified (http://mongo0.example.com/.well-known/acme-challenge/A-xjoIljw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU). The correct response will look like: ``` IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mongo0.example.com/fullchain.pem. Your cert will expire on 2016-07-06. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ``` For more details on renewing certificates <a href="https://gist.github.com/leommoore/53f3723cc023c39feb46">Letsencrypt</a> ##Preparing the Letsencrypt cert for use with MongoDB Letsencrypt will create the following certs: * cert.pem * chain.pem * fullchain.pem * privkey.pem The first thing is to combine the privateKey and cert into a single file. cat privkey.pem cert.pem > mongodb.pem The next thing is to download the CA authority files from the letsencrypt.org web site: https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/letsencryptauthorityx1.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem cat letsencryptauthorityx1.pem isrgrootx1.pem > letsencryptchain.pem sudo service mongod restart tail -20 /var/log/mongodb/mongod.log Logging the shell into the mongo db secured with ssl: # network interfaces net: port: 27017 ssl: mode: requireSSL PEMKeyFile: /home/ubuntu/certs/mongodb.pem PEMKeyPassword: CAFile: /home/ubuntu/certs/letsencryptchain.pem mongo --ssl -sslCAFile letsencryptchain.pem --host mongo0.recinal.com --sslPEMKeyFile mongodb.pem Check that ssl is running: rs0:SECONDARY> db.serverStatus().security { "SSLServerSubjectName" : "CN=mongo0.example.com", "SSLServerHasCertificateAuthority" : true, "SSLServerCertificateExpirationDate" : ISODate("2016-07-06T12:09:00Z") } Mongo requires the certs to be combined. -
Mar 8, 2016 . 1 changed file with 46 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,33 +2,55 @@ <a href="https://letsencrypt.org">Letsencrypt</a> is an initative which aims to increase the use of encryption for websites. It basically allows people to apply for free certificates provided that they prove the they control the requested domain. We will look at the what is needed to secure your MongoDB installation. For more details on setting up a MongoDB server see <a href="https://gist.github.com/leommoore/43ef7178cec18a05ba91">MongoDB 3.2.x</a>. ##Set the hostname We sould to set the hostname to match the name of the certificate we are going to optain. sudo hostname mongo0.example.com Then update the hostname file to set the server name permanently. sudo nano /etc/hostname Set the hostname in the file to: mongo0.example.com ##Modify the hosts file Modify the hosts file to . Obviously on mongo1 the 127.0.0.1 will point at localhost mongo1.example.com sudo nano /etc/hosts 127.0.0.1 localhost mongo0.example.com 52.51.12.62 mongo0.example.com ##Setup the DNS entry The hosts file entry is fine for local name resolution but to obtain a SSL certificate from Letsencrypt it will need to be able to resolve the name externally. So you will need to create a DNS entry (A or AAAA) to point at your server. ##Ports To optain the SSL certificate you will need to ensure that your server is accessable over port 80 and 443 as Letsencrypt will use this to connect to confirm that you control the domain. ##Getting the SSL certificate for your server. ###Installation To install the client, clone the repostiory from github. ``` git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt ``` ###Request the Certificate ``` ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d mongo0.example.com ``` ###Verify Domain Ownership The request will generate a similar response like: ``` Make sure your web server displays the following content at http://mongo0.example.com/.well-known/acme-challenge/A-xjoIljw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU before continuing: A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 @@ -45,11 +67,25 @@ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandle s.serve_forever()" Press ENTER to continue ``` <strong>Note: Do not click ENTER as it will try to find the verification file and we have not set it up yet.</strong> ##Setting up the Verification File Since the mongo server is unlikely to have a web server like Apache or Nginx you should use the do the following to create the verification file and spin up a temporary web server. In a new terminal session: mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge cd /tmp/letsencrypt/public_html printf "%s" A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 > .well-known/acme-challenge/A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU # run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()" Once this temporary server is running you can go back to the original terminal server session and click RETURN. It will then look for the file at the location specified (http://mongo0.example.com/.well-known/acme-challenge/A-xjoIljw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU). ``` cd /usr/share/nginx/html printf "%s" A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 > .well-known/acme-challenge/A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU -
Mar 8, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ #MongoDB 3.2.x SSL with Letsencrypt <a href="https://letsencrypt.org">Letsencrypt</a> is an initative which aims to increase the use of encryption for websites. It basically allows people to apply for free certificates provided that they prove the they control the requested domain. We will look at the what is needed to secure your MongoDB installation. For more details on setting up a MongoDB server see <a href="https://gist.github.com/leommoore/43ef7178cec18a05ba91">MongoDB 3.2.x</a>. ##Set the hostname -
Mar 8, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ #MongoDB 3.2.x SSL with Letsencrypt Letsencrypt (https://letsencrypt.org) is an initative which aims to increase the use of encryption for websites. It basically allows people to apply for free certificates provided that they prove the they control the requested domain. We will look at the what is needed to secure your MongoDB installation. For more details on setting up a MongoDB server see <a href="https://gist.github.com/leommoore/43ef7178cec18a05ba91">MongoDB 3.2.x</a>. ##Set the hostname -
Mar 8, 2016 . 1 changed file with 69 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,2 +1,70 @@ #MongoDB 3.2.x SSL with Letsencrypt Letsencrypt (https://letsencrypt.org) is an initative which aims to increase the use of encryption for websites. It basically allows people to apply for free certificates provided that they prove the they control the requested domain. We will look at the what is needed to secure your MongoDB installation. ##Set the hostname The first step is to get a ssl certificate for your server. ##Installation To install the client, clone the repostiory from github. ``` git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt ``` ##Request the Certificate ``` ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d mongo0.example.com ``` ##Verify Domain Ownership The next step is to provide a file with certain content available under a special URL ie (```www.example.com/.well-known/acme-challenge```). The request will generate a similar response like: ``` Make sure your web server displays the following content at http://www.example.com/.well-known/acme-challenge/A-xjoIljw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU before continuing: A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 If you don't have HTTP server configured, you can run the following command on the target server (as root): mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge cd /tmp/letsencrypt/public_html printf "%s" A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 > .well-known/acme-challenge/A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU # run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()" Press ENTER to continue ``` ##Create the Verification File To create the file you will need a new terminal session. Do not click ENTER or it will try and find the file. In a new terminal session: ``` cd /usr/share/nginx/html printf "%s" A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU.eefJYv1muREVb9TpEb3qjr9AQsM8IurTn-Svykj0wN0 > .well-known/acme-challenge/A-xjoI1jw52X2SSQWqf9P5TQU9vv4HuPDBXN4qFDoRU ``` This will create the required file. Now click ENTER in the original terminal session. The correct response will look like: ``` IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will expire on 2016-03-06. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ``` -
Mar 8, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,2 @@ #MongoDB 3.2.x SSL with Letsencrypt The wonderful https://letsencrypt.org/ offer a way to get trusted ssl certificates which you can use to secure your MongoDB installation.