'Mongodb SSL - unable to get issuer certificate

I am trying to configure ssl/tls with mongod on ubuntu 20.04 LTS. mongod version is 5.0.5. For generating ssl/tls, I am using ssl/ssl certificates from let's encrypt. I used this command for generating ssl/tls certificate.

sudo certbot certonly --standalone --preferred-challenges http -d example.domain.com

To configure it with mongod, I did the following steps

  • Copied fullchain.pem and privkey.pem file into a folder.

  • Use this command to generate mongodb.pem file for mongod.

    cat privkey.pem fullchain.pem > mongodb.pem

  • For ca.pem ,I went to this URL, https://letsencrypt.org/certificates/ and downloaded Intermediate Certificates -> Active -> Let’s Encrypt R3 -> Signed by ISRG Root X1 (pem) file. Saved this file with name ca.pem in the same directory of fullchain.pem/privkey.pem files.

  • Verified certificate using this command. It returned mongodb.pem: OK

    openssl verify -CAfile ca.crt mongodb.pem

  • Then I configure ssl/tls configuration with mongod, Added the following lines in /etc/mongod.conf

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /path/to/mongodb.pem
    CAFile: /path/to/ca.pem
    allowConnectionsWithoutCertificates: false
  • Restarted mongod service and It is running with active (running) status.
  • I am trying to connect to mongodb using the following command.
mongo --tls --tlsCAFile ca.pem --tlsCertificateKeyFile mongodb.pem --host mongodb.example-domain.com
  • But I am getting this error when I try to connect to mongodb using above command,
SSL peer certificate validation failed: unable to get issuer certificate

I don't know what I am doing wrong in the whole process. If anybody can help me in this ssl/tls certificate issue. Thanks



Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source