[SERVER-42098] NETWORK [main] cannot read certificate file Created: 07/Jul/19 Updated: 09/Jul/19 Resolved: 09/Jul/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Jon D | Assignee: | Danny Hatcher (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
For some reason I can't get the mongod user to access the key/cert file when starting from systemctl. I get the following error
2019-07-07T18:12:16.706+0000 E NETWORK [main] cannot read certificate file: /var/lib/mongo/cert/ssl.pem error:0200100D:system library:fopen:Permission denied 2019-07-07T18:12:16.707+0000 F CONTROL [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.
I'm using a fresh Centos 7 (updated) x86 server, and have installed MongoDB using the instructions here https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/
When I run the mongod process as root it works fine, so it's not a configuration issue. The problem occurs when I try and use the following command
systemctl start mongod
Config is this:
Permissions on the ssl.pem keyfile are as follows (its in /var/lib/mongo) File owned by mongod and group mongod with read only access to the owner (400) Directory is owned by mongod and group mongod with rw for owner only (600) I have also run chcon system_u:object_r:mongod_var_lib_t:s0 ssl.pem on the pem file
However I still get the following error
{{}}
|
| Comments |
| Comment by Danny Hatcher (Inactive) [ 09/Jul/19 ] | ||||||||||||||||||||||||||||||||
|
Glad to hear it! | ||||||||||||||||||||||||||||||||
| Comment by Jon D [ 08/Jul/19 ] | ||||||||||||||||||||||||||||||||
|
Hi Daniel,
Amazing ... I ran
and it is working fine, thanks everso!
| ||||||||||||||||||||||||||||||||
| Comment by Danny Hatcher (Inactive) [ 08/Jul/19 ] | ||||||||||||||||||||||||||||||||
|
I believe the mongod user needs execute rights on the directory containing the certs. Could you grant that right and see if it works? | ||||||||||||||||||||||||||||||||
| Comment by Jon D [ 08/Jul/19 ] | ||||||||||||||||||||||||||||||||
|
Hello Daniel, many thanks for your reply.
Its worth mentioning this is a newly provisioned stock AWS CentOS 7 build, and all I've put on it is MongoDB. It looks to me that the mongod user just doesn't have the right access but I can't see how this is the case, unless its some selinux problem.
| ||||||||||||||||||||||||||||||||
| Comment by Danny Hatcher (Inactive) [ 08/Jul/19 ] | ||||||||||||||||||||||||||||||||
|
If you run the mongod manually by specifying the binary on the command line, do you still have the issue? Could you please provide the ls -l output for /var/lib/mongo?
|