MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Adding encrypted communication for MongoDB
0:00 For our MongoDB server we want to add
0:02 communication level encryption, basically ssl.
0:05 Now we could go get a proper ssl certificate, we could even use let's encrypt,
0:10 but because this is only talked to from our few servers
0:14 we can actually just do an auto generated one, so a self signed certificate.
0:18 Let's go over here to etc/ssl, let's see what's here—
0:22 not so much, alright, so the next thing that we want to do
0:26 is we want to run open ssl to generate this key.
0:29 Now, I'm going to give you a link that you can copy this from
0:32 so don't worry about trying to type this in,
0:34 so notice it's good for 365 days,
0:36 we could put way more on here if we really wanted,
0:43 save yourself some trouble,
0:46 and it's going to be output into these two a public and private key. Let's go.
0:53 Then you can basically put whatever you want, I'll go in and put some stuff here
1:03 okay, so I entered some, sort of, kind of accurate data,
1:07 and now we have our two keys, out two MongoDB public and private keys,
1:11 the next thing is to generate a pem file
1:15 which is really just the combination of the public and private key
1:19 and we could do that with a cat command like this,
1:23 so we run this, and now we've got the private key and the certificate there, okay great.
1:32 Now, the next thing to do is actually tell MongoDB
1:36 hey, I would like you to use encryption
1:39 and I would like you to use this particular key
1:43 so notice, we're over here in the etc/ssl,
1:46 and we're going to get that mongodb.pem we just got,
1:50 so let's edit the config here, we'll go under security
2:02 oh actually sorry, it's not under security, not yet, we're going to be there in a minute,
2:07 we want to go to network here, and we're going to say ssl
2:10 say mode is require ssl like so, not model, mode
2:18 and the pem key file like this is going to be /etc/ssl/mongo.pem
2:30 Okay, so make sure we save that, and then we just have to restart mongo
2:35 so service mongod restart, let's see if that went well.
2:44 It doesn't look so great, does it? Well, why is that?
2:49 let me grab our little log file here, there's our log file
3:00 ah so, it says here's the error, etc/ssl/mongo.pem file not found
3:05 now I can just edit this out of the video right and we would skip it,
3:07 but I kind of want to show you like oh jeez,
3:10 what do you do when something goes wrong?
3:12 Well, you go to look at the log file, first of all you can quickly ask
3:15 on the status and it'll say crash something bad, go look at the log file
3:21 and then go from there, maybe you want to tail it in a real production thing.
3:26 So we are just going to edit this again and say you know what, you're right,
3:30 I believe that's mongodb, so we'll restart it
3:38 ask for the status and hey, look, a running process, super, that is so much better.
3:44 Okay, so let's try to connect to this on the same machine here
3:48 so we tried Mongo, and it said no, no, no you can't find it there
3:52 so we did the port 10001, and it said I can't connect to this,
3:58 this is not so good, I'm not sure what this error message is
4:01 but we need to basically say one more thing,
4:05 we need to say allow invalid ssl certificates
4:08 because it doesn't trust itself and use ssl;
4:11 there we go, so you can see this network error while attempting to run is master
4:16 basically said I tried to run an unencrypted command on an encrypted connection
4:21 and I got junk back— yeah, because it was encrypted.
4:24 Now we're kind of talking to the server on its non default port
4:28 using its non valid ssl certificate,
4:31 you can generate valid ones if you want, you can use other things lets encrypt,
4:34 you can buy them, whatever, but like I said it's probably fine to use this.
4:39 We're very close to coming over here,
4:41 and coming down and changing this to 0000 which will allow our web app to talk
4:51 so we have the encryption of a communication that's good,
4:54 but still, this is not good enough, what we need to be able to do is
4:58 restrict this to only people with username and password
5:02 and because we're doing this over ssl that password exchange is relatively safe.