Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-42098

NETWORK [main] cannot read certificate file

    XMLWordPrintableJSON

Details

    • Icon: Question Question
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None

    Description

      For some reason I can't get the mongod user to access the key/cert file when starting from systemctl. I get the following error

       

      2019-07-07T18:12:16.706+0000 E NETWORK  [main] cannot read certificate file: /var/lib/mongo/cert/ssl.pem error:0200100D:system library:fopen:Permission denied

      2019-07-07T18:12:16.707+0000 F CONTROL  [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.

       

      I'm using a fresh Centos 7 (updated) x86 server, and have installed MongoDB using the instructions here https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/

       

      When I run the mongod process as root it works fine, so it's not a configuration issue. The problem occurs when I try and use the following command

       

      systemctl start mongod

       

      Config is this:

       

      systemLog:
        destination: file
        logAppend: true
        path: /var/log/mongodb/mongod.log
       
      storage:
        dbPath: /var/lib/mongo
        journal:
          enabled: true 
       
      processManagement:
        fork: true  # fork and run in background
        pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
        timeZoneInfo: /usr/share/zoneinfo
       
      # network interfaces
      net:
        ssl:
          mode: requireSSL
          PEMKeyFile: /var/lib/mongo/cert/ssl.pem
        port: 27017
        bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
       
      

       

      Permissions on the ssl.pem keyfile are as follows (its in /var/lib/mongo)

      File owned by mongod and group mongod with read only access to the owner (400)

      Directory is owned by mongod and group mongod with rw for owner only (600)

      I have also run 

      chcon system_u:object_r:mongod_var_lib_t:s0 ssl.pem on the pem file

       

      However I still get the following error

       

       

      {{}}

       

       

      Attachments

        Activity

          People

            daniel.hatcher@mongodb.com Danny Hatcher (Inactive)
            jdblack Jon D
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: