Now we're rolling out SSL with the Compose MongoDB+ beta, we're also noticing that some people are getting caught out by MongoDB SSL. A typical example is when someone gets themselves a new MongoDB+ installation with SSL enabled and goes to log in for the first time...
Well, that's an unhelpful error message. Especially when you find out what caused it – the local version of the mongo command doesn't have SSL in it or it has those libraries and no --ssl flag is present. It is either a plain Mongo client failing to talk to an SSL enabled server or an SSL enabled client which hasn't been told to use SSL. Yes, it's a really unhelpful error message.
Do I even have SSL?
Let's start with the first case. How do you know your local Mongo installation has SSL or not? Well, if you run mongo --help and don't see any options for SSL, then you've got a version without SSL... read on. If they are there, skip forward to connecting with SSL.
"But wait" you say "MongoDB 3.0 comes with SSL enabled in all its binaries doesn't it". You'd think that especially when you look in the documentation and see:
That "Most" is the gotcha. While the Windows and Linux versions of MongoDB available on MongoDB.org do include SSL, the Mac OS X and Solaris distributions do not. We'll concentrate here on the Mac OS X platform as its much more likely to be causing problems for more people given the popularity of the laptops.
There are instructions for installing MongoDB on OS X which cover setting it up but first of all, you'll need to set up Homebrew. If you already have MongoDB installed via Homebrew, play safe and remove all older versions with
We now have a clean slate to work from. Next, make sure brew is up-to-date with brew update and then run
And now's a good time to get a brew, be it coffee or something else, because this build is going to be from source rather than Homebrew's pre-built casks...
... anyway, once thats done, you've got SSL-enabled MongoDB binaries now and we can move on to...
Connecting with SSL
If you want to connect to an SSL-enabled MongoDB+ then there are two ways to do it, the bad way and the good way. The bad way looks like this...
And with that just those two extra flags, you'll be logged into the Mongo shell. DO NOT DO THIS. Apart from generating a log entry that an invalid certificate has been used, it degrades your security somewhat as an invalid certificate could also be a bad guy's certificate being used as to let a man in the middle attack take place.
What you need is a certificate from the server that will identify it and be usable in the cryptography underlying SSL. And it just happens there's a certificate available on your Compose MongoDB+ dashboard. Log into your account, select your MongoDB+ deployment and on the Overview page you'll see an SSL Public Key panel with a Show SSL Public Key button. Click that, enter your password and the page will refresh with the key details.
You'll want to copy and paste all the text, from -----BEGIN to END CERTIFICATE-----, into a file on your local file system. For this example we'd save it as example.pem. Now we can give this certificate to the mongo command like so:
And we'll get a connection which checks the certificate and ensures we're connecting to the right server.
Now you are connecting to Compose's MongoDB+ with SSL enabled. Remember that if you don't want SSL, you can deselect the SSL checkbox when creating the deployment, but it is better, if your drivers support it, to have SSL enabled.