How to correctly configure MongoDB to use Letsencrypt SSL on Ubuntu

You combine the wrong pem files. You need to combine privkey.pem with cert.pem.

cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/ssl/mongo.pem

For the CAFile you need to download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html

sudo touch /etc/ssl/ca.crt
sudo chmod 777 /etc/ssl/ca.crt

Add the certificate of the website, add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and make sure you end with a new line saving the file:

sudo vi /etc/ssl/ca.crt

Then convert the crt file to a pem using:

sudo touch /etc/ssl/ca.pem
sudo chmod 777 /etc/ssl/ca.pem
sudo openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM

And combine with chain.pem from Let's Encrypt into a single file ca.pem

sudo cat /etc/letsencrypt/live/example.com/chain.pem >> /etc/ssl/ca.pem

To set the CAFile follow this mongo configuration setup:

net:  
  port: 27017
  bindIp: 0.0.0.0
  ssl:  
    mode: requireSSL  
    PEMKeyFile: /etc/ssl/mongo.pem
    CAFile: /etc/ssl/ca.pem

Restart MongoDB:

sudo systemctl restart mongod
sudo systemctl status mongod

Don't forget the moment when you renew the Let's Encrypt certificates, you need to renew also mongo.pem and ca.pem.


The CA file you need can be obtained from Letsencrypt, look for one of the intermediate certificates here:

https://letsencrypt.org/certificates/

Then, specify the path to that certificate with the SSL CAFile option.