meteor-up icon indicating copy to clipboard operation
meteor-up copied to clipboard

Published 20 hours ago verified publisher icon zodern

Specifying a MongoDB tlsCAFile option

Open SachaG opened this issue 3 years ago • 9 comments

I'm trying to connect to a DigitalOcean MongoDB instance, which requires providing a certificate file in the form of a tlsCAFile option added to the MONGO_URL connection string.

The issue is that I don't know where to put that file or how to reference it. I tried putting it in my DO instance's root directory but then got a permission denied, open '/root/ca-certificate.crt' error. I guess the app doesn't run as root when it needs to load that file, since it's inside a Docker container? How can I make this work?

SachaG avatar Nov 04 '21 01:11 SachaG

Any advice on this?

SachaG avatar Nov 09 '21 08:11 SachaG

Hi Sacha, I use mup as well and connect to DigitalOcean's new MongoDB, I store the cert in the meteor private folder: "private/DO-ca-certificate.crt", and then add to the settings file the following:

"packages": {
    "mongo": {
      "options": {
        "tls": true,
        "tlsCAFileAsset": "DO-ca-certificate.crt"
      }
    }
  }

jamesgibson14 avatar Nov 11 '21 16:11 jamesgibson14

Oh thanks! So if you do this you can drop the tlsCAFile option from the MONGO_URL env variable?

SachaG avatar Nov 12 '21 02:11 SachaG

Hi James, Thanks for the info.

I'm also having an issue trying to get an existing application connecting to Digital Ocean MongoDB

From local shell, I can connect to the Mongo database using this command mongo "mongodb+srv://user:[email protected]/admin?otherSettings" --tls --tlsCAFile /pathTo/ca-certificate.crt

But I get this error when I try to run the application image

RobGordon406 avatar Feb 24 '22 23:02 RobGordon406

Yeah, so I use this flag on the MONGO_URL: &tlsAllowInvalidCertificates=true and it seems to be the only thing that gets it to work. @RobGordon406 I am not sure if that will solve your specific issue. I have about 20 apps connect to DigitalOcean now, so it does work. Also if you are interested I use SolarWinds DPM ( VividCortex ) for monitoring the MongoDB, I had to work with their tech support to get the monitoring working because of the TLS but we did get it eventually.

jamesgibson14 avatar Mar 02 '22 00:03 jamesgibson14

@jamesgibson14 Thanks - &tlsAllowInvalidCertificates=true did the trick!

RobGordon406 avatar Mar 10 '22 06:03 RobGordon406

I'm trying to test the tlsCAFileAsset setting, and running the app locally with meteor it seems to work. However, when deploying the app (running Meteor 2.6.1, Mup version 1.5.5) with mup, I get:

2022-03-14 23:25:07 | path: '/built_app/programs/server/assets/app/ca.pem'
-- | --
  |   | 2022-03-14 23:25:07 | code: 'ENOENT',
  |   | 2022-03-14 23:25:07 | syscall: 'open',
  |   | 2022-03-14 23:25:07 | errno: -2,
  |   | 2022-03-14 23:25:07 | at module (packages/test:logger/server.js:1:743) {
  |   | 2022-03-14 23:25:07 | at Module.moduleLink [as link] (/built_app/programs/server/npm/node_modules/meteor/modules/node_modules/@meteorjs/reify/lib/runtime/index.js:52:22)
  |   | 2022-03-14 23:25:07 | at Module.require (packages/modules-runtime.js:238:14)
  |   | 2022-03-14 23:25:07 | at fileEvaluate (packages/modules-runtime.js:336:7)
  |   | 2022-03-14 23:25:07 | at module (packages/test:logger/collection.js:3:21)
  |   | 2022-03-14 23:25:07 | at new Collection (packages/mongo/collection.js:106:40)
  |   | 2022-03-14 23:25:07 | at Object.defaultRemoteCollectionDriver (packages/underscore.js:784:19)
  |   | 2022-03-14 23:25:07 | at Object.<anonymous> (packages/mongo/remote_collection_driver.js:37:10)
  |   | 2022-03-14 23:25:07 | at new MongoInternals.RemoteCollectionDriver (packages/mongo/remote_collection_driver.js:4:16)
  |   | 2022-03-14 23:25:07 | at new MongoConnection (packages/mongo/mongo_driver.js:184:3)
  |   | 2022-03-14 23:25:07 | at new MongoClient (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/mongo_client.js:62:63)
  |   | 2022-03-14 23:25:07 | at parseOptions (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:296:9)
  |   | 2022-03-14 23:25:07 | at setOption (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:432:36)
  |   | 2022-03-14 23:25:07 | at transform (/built_app/programs/server/npm/node_modules/meteor/npm-mongo/node_modules/mongodb/lib/connection_string.js:917:23)
  |   | 2022-03-14 23:25:07 | at Object.readFileSync (fs.js:393:35)
  |   | 2022-03-14 23:25:07 | at Object.openSync (fs.js:497:3)
  |   | 2022-03-14 23:25:07 | Error: ENOENT: no such file or directory, open '/built_app/programs/server/assets/app/ca.pem'

EDIT: It seems the problem could be that the package test:logger is trying to create a Mongo collection, but since packages cannot access assets outside of the package itself, it fails to find the required certificate file. However, I can't get rid of the error by simply deleting any Mongo-related code from the test:logger package. I still get the errors from packages/test:logger/collection.js, which now no longer exists in the code base. I tried removing all temp builds from cache and deleting .meteor/local, didn't help 🤷

arggh avatar Mar 14 '22 21:03 arggh

tlsAllowInvalidCertificates=true is not working anymore!!! Digital ocean has started to require always working file

@jamesgibson14, do you have any workaround by a chance?

promentol avatar Jun 14 '22 08:06 promentol

It is still working for me.

jamesgibson14 avatar Jun 16 '22 00:06 jamesgibson14