Details
-
Question
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
Description
For some reason I can't get the mongod user to access the key/cert file when starting from systemctl. I get the following error
2019-07-07T18:12:16.706+0000 E NETWORK [main] cannot read certificate file: /var/lib/mongo/cert/ssl.pem error:0200100D:system library:fopen:Permission denied
2019-07-07T18:12:16.707+0000 F CONTROL [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.
I'm using a fresh Centos 7 (updated) x86 server, and have installed MongoDB using the instructions here https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/
When I run the mongod process as root it works fine, so it's not a configuration issue. The problem occurs when I try and use the following command
systemctl start mongod
Config is this:
systemLog:
|
destination: file
|
logAppend: true |
path: /var/log/mongodb/mongod.log
|
|
storage:
|
dbPath: /var/lib/mongo
|
journal:
|
enabled: true |
|
processManagement:
|
fork: true # fork and run in background |
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
|
timeZoneInfo: /usr/share/zoneinfo
|
|
# network interfaces
|
net:
|
ssl:
|
mode: requireSSL
|
PEMKeyFile: /var/lib/mongo/cert/ssl.pem
|
port: 27017 |
bindIp: 127.0.0.1 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting. |
|
Permissions on the ssl.pem keyfile are as follows (its in /var/lib/mongo)
File owned by mongod and group mongod with read only access to the owner (400)
Directory is owned by mongod and group mongod with rw for owner only (600)
I have also run
chcon system_u:object_r:mongod_var_lib_t:s0 ssl.pem on the pem file
However I still get the following error
{{}}