[SERVER-42098]  NETWORK [main] cannot read certificate file Created: 07/Jul/19  Updated: 09/Jul/19  Resolved: 09/Jul/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Jon D Assignee: Danny Hatcher (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

For some reason I can't get the mongod user to access the key/cert file when starting from systemctl. I get the following error

 

2019-07-07T18:12:16.706+0000 E NETWORK  [main] cannot read certificate file: /var/lib/mongo/cert/ssl.pem error:0200100D:system library:fopen:Permission denied

2019-07-07T18:12:16.707+0000 F CONTROL  [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.

 

I'm using a fresh Centos 7 (updated) x86 server, and have installed MongoDB using the instructions here https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/

 

When I run the mongod process as root it works fine, so it's not a configuration issue. The problem occurs when I try and use the following command

 

systemctl start mongod

 

Config is this:

 

systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log
 
storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true 
 
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
  timeZoneInfo: /usr/share/zoneinfo
 
# network interfaces
net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /var/lib/mongo/cert/ssl.pem
  port: 27017
  bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
 

 

Permissions on the ssl.pem keyfile are as follows (its in /var/lib/mongo)

File owned by mongod and group mongod with read only access to the owner (400)

Directory is owned by mongod and group mongod with rw for owner only (600)

I have also run 

chcon system_u:object_r:mongod_var_lib_t:s0 ssl.pem on the pem file

 

However I still get the following error

 

 

{{}}

 

 



 Comments   
Comment by Danny Hatcher (Inactive) [ 09/Jul/19 ]

Glad to hear it!

Comment by Jon D [ 08/Jul/19 ]

Hi Daniel,

 

Amazing ... I ran

chmod 700 /var/lib/mongo/cert

and it is working fine, thanks everso!

 

Comment by Danny Hatcher (Inactive) [ 08/Jul/19 ]

I believe the mongod user needs execute rights on the directory containing the certs. Could you grant that right and see if it works?

Comment by Jon D [ 08/Jul/19 ]

Hello Daniel, many thanks for your reply.

  1. Running mongod manually: I can't do this as the mongod user as by default it has no login, but exec'ing the process from root as mongod doesn't work either. If I remove the SSL configuration however mongod starts fine when using any method.
  2. Output of ls -la on /var/lib/mongo dir and the cert sub dir that has the key file.

[root@ip-xx-xx-xx-xx mongo]# ls -la
total 464
drwxr-xr-x.  5 mongod mongod  4096 Jul  8 20:42 .
drwxr-xr-x. 28 root   root    4096 Jul  7 17:39 ..
drw-------.  2 mongod mongod   125 Jul  7 23:01 cert
-rw-------.  1 mongod mongod 32768 Jul  8 20:37 collection-0--9116396898015841894.wt
-rw-------.  1 mongod mongod  4096 Jul  8 20:37 collection-2-1711132814212450118.wt
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 collection-2--9116396898015841894.wt
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 collection-4-1711132814212450118.wt
-rw-------.  1 mongod mongod 24576 Jul  8 20:37 collection-4--9116396898015841894.wt
drwx------.  2 mongod mongod  4096 Jul  8 20:37 diagnostic.data
-rw-------.  1 mongod mongod 32768 Jul  8 20:37 index-1--9116396898015841894.wt
-rw-------.  1 mongod mongod  4096 Jul  8 20:37 index-3-1711132814212450118.wt
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 index-3--9116396898015841894.wt
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 index-5-1711132814212450118.wt
-rw-------.  1 mongod mongod 24576 Jul  8 20:37 index-5--9116396898015841894.wt
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 index-6-1711132814212450118.wt
-rw-------.  1 mongod mongod 12288 Jul  8 20:37 index-6--9116396898015841894.wt
drwx------.  2 mongod mongod   110 Jul  7 21:47 journal
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 _mdb_catalog.wt
-rw-------.  1 mongod mongod     0 Jul  8 20:37 mongod.lock
-rw-------.  1 mongod mongod 36864 Jul  8 20:37 sizeStorer.wt
-rw-------.  1 mongod mongod   114 Jul  7 17:41 storage.bson
-rw-------.  1 mongod mongod    45 Jul  7 17:41 WiredTiger
-rw-------.  1 mongod mongod  4096 Jul  8 20:37 WiredTigerLAS.wt
-rw-------.  1 mongod mongod    21 Jul  7 17:41 WiredTiger.lock
-rw-------.  1 mongod mongod  1077 Jul  8 20:37 WiredTiger.turtle
-rw-------.  1 mongod mongod 49152 Jul  8 20:37 WiredTiger.wt
[root@ip-xx-xx-xx-xx mongo]# cd cert/
[root@ip-xx-xx-xx-xx cert]# ls -l
-r--------. 1 mongod mongod 3623 Jul  7 17:50 ssl.pem

Its worth mentioning this is a newly provisioned stock AWS CentOS 7 build, and all I've put on it is MongoDB. 

It looks to me that the mongod user just doesn't have the right access but I can't see how this is the case, unless its some selinux problem.

 

Comment by Danny Hatcher (Inactive) [ 08/Jul/19 ]

If you run the mongod manually by specifying the binary on the command line, do you still have the issue? Could you please provide the ls -l output for /var/lib/mongo?

ls -l /var/lib/mongo

Generated at Thu Feb 08 04:59:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.