How to correctly configure MongoDB to use Letsencrypt SSL on Ubuntu
You combine the wrong pem files. You need to combine privkey.pem
with cert.pem
.
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/ssl/mongo.pem
For the CAFile you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html
sudo touch /etc/ssl/ca.crt
sudo chmod 777 /etc/ssl/ca.crt
Add the certificate of the website, add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and make sure you end with a new line saving the file:
sudo vi /etc/ssl/ca.crt
Then convert the crt file to a pem using:
sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
And combine with chain.pem
from Let's Encrypt into a single file ca.pem
sudo cat /etc/letsencrypt/live/example.com/chain.pem >> /etc/ssl/ca.pem
To set the CAFile follow this mongo configuration setup:
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongo.pem
CAFile: /etc/ssl/ca.pem
Restart MongoDB:
sudo systemctl restart mongod
sudo systemctl status mongod
Don't forget the moment when you renew the Let's Encrypt certificates, you need to renew also mongo.pem
and ca.pem
.
The CA file you need can be obtained from Letsencrypt, look for one of the intermediate certificates here:
https://letsencrypt.org/certificates/
Then, specify the path to that certificate with the SSL CAFile option.