Going SSL with Compose MongoDB+

Now we're rolling out SSL with the Compose MongoDB+ beta, we're also noticing that some people are getting caught out by MongoDB SSL. A typical example is when someone gets themselves a new MongoDB+ installation with SSL enabled and goes to log in for the first time...

$  mongo example.dblayer.com:10373/admin -u user -p pass
MongoDB shell version: 3.0.4
connecting to: example.dblayer.com:10373/admin
2015-06-23T10:19:48.866+0100 I NETWORK  DBClientCursor::init call() failed
2015-06-23T10:19:48.868+0100 E QUERY    Error: DBClientBase::findN: transport error: example.dblayer.com:10373/admin ns: admin.$cmd query: { whatsmyuri: 1 }
    at connect (src/mongo/shell/mongo.js:181:14)
    at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed

Well, that's an unhelpful error message. Especially when you find out what caused it – the local version of the mongo command doesn't have SSL in it or it has those libraries and no --ssl flag is present. It is either a plain Mongo client failing to talk to an SSL enabled server or an SSL enabled client which hasn't been told to use SSL. Yes, it's a really unhelpful error message.

Do I even have SSL?

Let's start with the first case. How do you know your local Mongo installation has SSL or not? Well, if you run mongo --help and don't see any options for SSL, then you've got a version without SSL... read on. If they are there, skip forward to connecting with SSL.

"But wait" you say "MongoDB 3.0 comes with SSL enabled in all its binaries doesn't it". You'd think that especially when you look in the documentation and see:

New in version 3.0: Most MongoDB distributions now 
include support for SSL.

That "Most" is the gotcha. While the Windows and Linux versions of MongoDB available on MongoDB.org do include SSL, the Mac OS X and Solaris distributions do not. We'll concentrate here on the Mac OS X platform as its much more likely to be causing problems for more people given the popularity of the laptops.

There are instructions for installing MongoDB on OS X which cover setting it up but first of all, you'll need to set up Homebrew. If you already have MongoDB installed via Homebrew, play safe and remove all older versions with

brew uninstall --force mongodb

We now have a clean slate to work from. Next, make sure brew is up-to-date with brew update and then run

brew install mongodb --with-openssl

And now's a good time to get a brew, be it coffee or something else, because this build is going to be from source rather than Homebrew's pre-built casks...

... anyway, once thats done, you've got SSL-enabled MongoDB binaries now and we can move on to...

Connecting with SSL

If you want to connect to an SSL-enabled MongoDB+ then there are two ways to do it, the bad way and the good way. The bad way looks like this...

$ mongo --ssl --sslAllowInvalidCertificates example.dblayer.com:10373/admin -u user -p pass

And with that just those two extra flags, you'll be logged into the Mongo shell. DO NOT DO THIS. Apart from generating a log entry that an invalid certificate has been used, it degrades your security somewhat as an invalid certificate could also be a bad guy's certificate being used as to let a man in the middle attack take place.

What you need is a certificate from the server that will identify it and be usable in the cryptography underlying SSL. And it just happens there's a certificate available on your Compose MongoDB+ dashboard. Log into your account, select your MongoDB+ deployment and on the Overview page you'll see an SSL Public Key panel with a Show SSL Public Key button. Click that, enter your password and the page will refresh with the key details.

You'll want to copy and paste all the text, from -----BEGIN to END CERTIFICATE-----, into a file on your local file system. For this example we'd save it as example.pem. Now we can give this certificate to the mongo command like so:

$ mongo --ssl --sslCAFile example.pem example.dblayer.com:10373/admin -u user -p pass

And we'll get a connection which checks the certificate and ensures we're connecting to the right server.

Now you are connecting to Compose's MongoDB+ with SSL enabled. Remember that if you don't want SSL, you can deselect the SSL checkbox when creating the deployment, but it is better, if your drivers support it, to have SSL enabled.