To make Mongo DB SSL on Ubuntu 12.04 you need to either purchase it or compile from source.
To make compiling from source easy here’s a script to help you out!
Mongo Compile SSL from Source Script
Note: Make sure you are not running an EC2 Small instance or you will run out of space!
#!/bin/bash RELEASE=precise ARCH=amd64 BASE=$PWD VERSION=2.4.3 apt-get -y install git-core build-essential scons libssl-dev # Grab the source code. git clone git://github.com/mongodb/mongo.git cd mongo git checkout r$VERSION # Build it with SSL enabled and mostly statically. scons install --64 --ssl --release --no-glibc-check --prefix=$BASE/opt/mongo mkdir $BASE/opt # Pack it up. cd $BASE/opt tar czvf mongo-$VERSION-$RELEASE-$ARCH.tgz mongo/bin
Backup Current Instance
echo "dumping mongo db"
now=$(date +"%d_%m_%Y")
mkdir /root/${now}_mongodump
cd /root/${now}_mongodump
mongodump
Stopping Mongo
Single Instance
Try to stop mongodb via the service:
# service mongodb stop
Otherwise connect to your instance and tell it to shutdown:
root@mongodb01:~# mongo
MongoDB shell version: 2.4.2
connecting to: test
rsQA:PRIMARY> use admin
switched to db admin
rsQA:PRIMARY> db.shutdownServer({timeoutSecs: 1});
if you are running an HA Mongo with an arbiter
Determine the master, secondary and arbiter
root@mongodb01:~# mongo
MongoDB shell version: 2.4.2
connecting to: test
rsQA:PRIMARY> db.isMaster()
{
"setName" : "rsQA",
"ismaster" : true,
"secondary" : false,
"hosts" : [
"mongodb01:27017",
"mongodb02:27017"
],
"arbiters" : [
"mongoarb03:27017"
],
"primary" : "mongodb01:27017",
"me" : "mongodb01:27017",
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"localTime" : ISODate("2013-05-16T18:41:56.543Z"),
"ok" : 1
}
rsQA:PRIMARY>
Shut down the arbiter, master, then secondary
Upgrade Mongo to 2.4.3
echo "Current Mongodb Version" dpkg -s mongodb-10gen | grep -i "version" echo "Removing Current Mongo DB Install" apt-get remove mongodb-10gen echo "updating packages" apt-get update echo "Installing Mongo 2.4.3" apt-get install mongodb-10gen=2.4.3
Deploying the binaries
echo "Extracting built ssl binariess" tar xzvf mongo-2.4.3-precise-amd64.tar.gz cp ./mongo/bin/* /usr/bin
Setting up the SSL cert
To configure SSL for mongo you need to combine your PEM crt and key and modify your config file
Combining crt and key
cat some.key some.crt > /etc/ssl/mongo.pem
Have a godaddy cert? No problem!
cat some.key some.crt gd_bundle.crt > /etc/ssl/mongo.pem
Update your Mongo config file
echo "sslOnNormalPorts = true" >> /etc/mongodb.conf echo "sslPEMKeyFile = /etc/ssl/mongo.pem" >> /etc/mongodb.conf
Final SSL in Mongo Config File
# cat /etc/mongodb.conf | grep -v "#" | grep -v "^$" dbpath=/var/lib/mongodb logpath=/var/log/mongodb/mongodb.log logappend=true sslOnNormalPorts = true sslPEMKeyFile = /etc/ssl/mongo.pem
Problems accessing the console?
That’s good! That means you are using SSL!! Here’s the error you are probably getting:
root@mongodb01:~# mongo
MongoDB shell version: 2.4.3
connecting to: test
Thu May 16 18:34:21.375 Socket recv() errno:104 Connection reset by peer 127.0.0.1:27017
Thu May 16 18:34:21.375 SocketException: remote: 127.0.0.1:27017 error: 9001 socket exception [1] server [127.0.0.1:27017]
Thu May 16 18:34:21.376 DBClientCursor::init call() failed
Thu May 16 18:34:21.377 JavaScript execution failed: Error: DBClientBase::findN: transport error: 127.0.0.1:27017 ns: admin.$cmd query: { whatsmyuri: 1 } at src/mongo/shell/mongo.js:L112
exception: connect failed
Accessing the Mongo console after ssl binares are installed
root@mongodb01:~# mongo --ssl MongoDB shell version: 2.4.3 connecting to: test rsQA:PRIMARY>
Thank you. Your script ended many hours of pain.