81 lines
3.1 KiB
Plaintext
81 lines
3.1 KiB
Plaintext
I - Making Mongo SSL certs for Mongo DB Server replica set
|
|
# Check openssl version
|
|
openssl version
|
|
# openssl options
|
|
openssl genrsa: Generates a private key
|
|
openssl req: Generates a CSR
|
|
openssl x509: Generates the certificate
|
|
|
|
1. Create Private Key for the root CA issuer
|
|
openssl genrsa -passout file:./rootCA/pphrase -out ./rootCA/rootCA.key -aes256
|
|
|
|
2. Create Root CA certificate
|
|
openssl req -x509 -new -key ./rootCA/rootCA.key -days 7300 -config ./root-ssl-config.cnf -out ./rootCA/rootCA.crt
|
|
# View the certificate
|
|
openssl x509 -noout -text -in ./rootCA/rootCA.crt
|
|
|
|
3. Create CSR for each of the member servers/hosts
|
|
SUBJECT="/C=CA/ST=ON/L=Barrie/O=AG-NAV Inc./OU=SD/CN=localhost/emailAddress=software@agnav.com"
|
|
openssl req -new -nodes -newkey rsa:2048 -subj "/C=CA/ST=ON/L=Barrie/O=AG-NAV Inc./OU=SD/CN=localhost/emailAddress=software@agnav.com" -keyout server1.key -out server1.csr
|
|
|
|
or using the shell script:
|
|
./makeCSR <hostname>
|
|
|
|
4. Sign the CSR then create certificate for the member
|
|
openssl x509 -req -days 7300 -in server1.csr -CA ./rootCA/rootCA.crt -CAkey ./rootCA/rootCA.key -CAcreateserial -out ./server1.crt -sha256 -extfile v3-ext.cnf
|
|
|
|
5. Create a privacy enhanced mail (PEM) for mongod
|
|
cat server1.key server1.crt > server1.pem
|
|
|
|
or using the shell script (for step 4 and 5):
|
|
./makeCert <hostname>
|
|
|
|
6. Deploy (root)
|
|
Move <hostname>.crt/pem/csr file to /etc/ssl/certs/
|
|
Move <hostname>.key (private key) file to /etc/ssl/private
|
|
Change permission for all to readonly 440
|
|
|
|
# (Optional) Create appcerts usergroup, then add users: root,www-data,mongodb,rabbitmq to the group
|
|
|
|
|
|
Reference:
|
|
https://www.bustedware.com/blog/mongodb-ssl-tls-x509-authentication#create-certificate-authority
|
|
https://www.mydbops.com/blog/securing-mongodb-cluster-with-tls-ssl
|
|
https://www.ibm.com/docs/en/hpvs/1.2.x?topic=SSHPMH_1.2.x/topics/create_ca_signed_certificates.htm
|
|
https://www.mydbops.com/blog/securing-mongodb-cluster-with-tls-ssl#
|
|
https://www.filecloud.com/supportdocs/fcdoc/latest/server/filecloud-administrator-guide/filecloud-site-setup/filecloud-high-availability/configure-mongodb-cluster-to-use-tls-ssl-with-cluster-authentication-and-mongodb-authentication-on-linux
|
|
|
|
|
|
II - Replace/Renew/Rotate SSL x509 certs for a replica set
|
|
1. Make CSRs
|
|
./makeCSR.sh agndb0.agnav.com
|
|
./makeCSR.sh agndb1.agnav.com
|
|
./makeCSR.sh agndb2.agnav.com
|
|
|
|
2. Make Certs
|
|
./makeCert.sh agndb0.agnav.com
|
|
./makeCert.sh agndb1.agnav.com
|
|
./makeCert.sh agndb2.agnav.com
|
|
|
|
3. Copy them to each nodes to deploy
|
|
scp ./rootCA/rootCA.crt agnav@kanboard.agnav.com:~/agnav_rootCA.crt
|
|
scp agndb2* agnav@kanboard.agnav.com:~/
|
|
scp -P 22222 agndb1* agm@agmission-1.agnav.com:~/
|
|
scp -P 22889 agndb0* agmission@agmission.agnav.com:~/
|
|
|
|
## Check after copying
|
|
ssh agnav@kanboard.agnav.com 'ls ~/'
|
|
ssh -p 22222 agm@agmission-1.agnav.com 'ls ~/'
|
|
ssh -p 22889 agmission@agmission.agnav.com 'ls ~/'
|
|
|
|
3.2 Copy them to the deploy storage location
|
|
|
|
4. Restart each of the member from secondaries to the primary one
|
|
|
|
5. Verify they all work.
|
|
mongo -u admin -p 'Minad!2019' --authenticationDatabase 'admin'
|
|
rs.status()
|
|
tail -n 500 /var/log/mongodb/mongod.log
|
|
|
|
Referece:
|
|
https://www.mongodb.com/docs/manual/tutorial/rotate-x509-membership-certificates/ |