MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Adding encrypted communication for MongoDB
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
For our MongoDB server we want to add communication level encryption, basically ssl.
0:06
Now we could go get a proper ssl certificate, we could even use let's encrypt, but because this is only talked to from our few servers
0:15
we can actually just do an auto generated one, so a self signed certificate. Let's go over here to etc/ssl, let's see what's here—
0:23
not so much, alright, so the next thing that we want to do is we want to run open ssl to generate this key.
0:30
Now, I'm going to give you a link that you can copy this from so don't worry about trying to type this in, so notice it's good for 365 days,
0:37
we could put way more on here if we really wanted, save yourself some trouble,
0:47
and it's going to be output into these two a public and private key. Let's go.
0:54
Then you can basically put whatever you want, I'll go in and put some stuff here okay, so I entered some, sort of, kind of accurate data,
1:08
and now we have our two keys, out two MongoDB public and private keys, the next thing is to generate a pem file
1:16
which is really just the combination of the public and private key and we could do that with a cat command like this,
1:24
so we run this, and now we've got the private key and the certificate there, okay great. Now, the next thing to do is actually tell MongoDB
1:37
hey, I would like you to use encryption and I would like you to use this particular key so notice, we're over here in the etc/ssl,
1:47
and we're going to get that mongodb.pem we just got, so let's edit the config here, we'll go under security
2:03
oh actually sorry, it's not under security, not yet, we're going to be there in a minute, we want to go to network here, and we're going to say ssl
2:11
say mode is require ssl like so, not model, mode and the pem key file like this is going to be /etc/ssl/mongo.pem
2:31
Okay, so make sure we save that, and then we just have to restart mongo so service mongod restart, let's see if that went well.
2:45
It doesn't look so great, does it? Well, why is that? let me grab our little log file here, there's our log file
3:01
ah so, it says here's the error, etc/ssl/mongo.pem file not found now I can just edit this out of the video right and we would skip it,
3:08
but I kind of want to show you like oh jeez, what do you do when something goes wrong?
3:13
Well, you go to look at the log file, first of all you can quickly ask on the status and it'll say crash something bad, go look at the log file
3:22
and then go from there, maybe you want to tail it in a real production thing.
3:27
So we are just going to edit this again and say you know what, you're right, I believe that's mongodb, so we'll restart it
3:39
ask for the status and hey, look, a running process, super, that is so much better. Okay, so let's try to connect to this on the same machine here
3:49
so we tried Mongo, and it said no, no, no you can't find it there so we did the port 10001, and it said I can't connect to this,
3:59
this is not so good, I'm not sure what this error message is but we need to basically say one more thing, we need to say allow invalid ssl certificates
4:09
because it doesn't trust itself and use ssl; there we go, so you can see this network error while attempting to run is master
4:17
basically said I tried to run an unencrypted command on an encrypted connection and I got junk back— yeah, because it was encrypted.
4:25
Now we're kind of talking to the server on its non default port using its non valid ssl certificate,
4:32
you can generate valid ones if you want, you can use other things lets encrypt,
4:35
you can buy them, whatever, but like I said it's probably fine to use this. We're very close to coming over here,
4:42
and coming down and changing this to 0000 which will allow our web app to talk so we have the encryption of a communication that's good,
4:55
but still, this is not good enough, what we need to be able to do is restrict this to only people with username and password
5:03
and because we're doing this over ssl that password exchange is relatively safe.