获取 MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: xxx.xx.xx.xx
Posted
技术标签:
【中文标题】获取 MongooseServerSelectionError: Hostname/IP does not match certificate\'s altnames: IP: xxx.xx.xx.xx is not in the cert\'s list:【英文标题】:Getting MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: xxx.xx.xx.xx is not in the cert's list:获取 MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: xxx.xx.xx.xx is not in the cert's list: 【发布时间】:2021-05-14 07:56:04 【问题描述】:我在我的 linux 机器上创建了自签名证书,我在其中提供了与该 linux 的 IP 相同的证书 CN 我已将它们添加到 mongodb.conf 并重新启动服务器 我可以通过命令连接
mongo --ssl --sslPEMKeyFile /etc/ssl/mongodbcerts/mongodb.pem --sslCAFile /etc/ssl/mongodbcerts/ca.pem
但是当我尝试从 nodeJS mongoose 连接时,我遇到了类似的错误
MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: XXX.xx.x.xx is not in the cert's list:
我的连接mongodb的nodejs代码如下
const connectionOptions = useCreateIndex: true,
useNewUrlParser: true,
useUnifiedTopology: true,
useFindAndModify: false ,
server:
ssl: true,
sslValidate:true,
sslCA: require('fs').readFileSync("/etc/ssl/mongodbcerts/ca.pem"),
sslKey:require('fs').readFileSync("/etc/ssl/mongodbcerts/mongodb.key"),
sslCert:require('fs').readFileSync("/etc/ssl/mongodbcerts/mongodb.crt")
;
let mongo_url="mongodb://username:password@IPaddress/DB"
console.log(mongo_url)
mongoose.connect(mongo_url,connectionOptions).then(() => console.log( 'Database Connected' ))
.catch(err => console.log( err ));;
请告诉我错误
【问题讨论】:
【参考方案1】:我犯的错误是我创建了以通用名称 (CN) 作为 IP 地址 (XXX.xx.x.xx) 的自签名证书,但我们需要创建以 CN 作为主机名的自签名证书。 要获取主机名,请打开 mongo shell 并执行以下命令:
>getHostName()
您将使用该 VM 的主机名并创建具有相同主机名的自签名证书,并尝试使用 mongoose nodejs 连接。它会起作用的。 支持文档:https://mongoosejs.com/docs/tutorials/ssl.html
【讨论】:
【参考方案2】:我最近遇到了this issue。从 MongoDB 4.2 开始,在进行 SAN 比较时,MongoDB 也支持 IP 地址比较。您可以在 CN 字段中使用 IP 地址,但请确保您的 openssl 配置文件在 alt_names 部分中包含您的服务器 IP 地址。
这是官方 MongoDB 文档中提供的示例 cnf 文件 -
# NOT FOR PRODUCTION USE. OpenSSL configuration file for testing.
[ req ]
default_bits = 4096
default_keyfile = myTestServerCertificateKey.pem ## The default private key file name.
default_md = sha256
distinguished_name = req_dn
req_extensions = v3_req
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate for TESTING only. NOT FOR PRODUCTION USE."
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ##TODO: Enter the DNS names if using hostname, otherwise remove this line
IP.1 = ##TODO: Enter the IP address if using IP address
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = TestServerCertificateCountry
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = TestServerCertificateState
stateOrProvinceName_max = 64
localityName = Locality Name (eg, city)
localityName_default = TestServerCertificateLocality
localityName_max = 64
organizationName = Organization Name (eg, company)
organizationName_default = TestServerCertificateOrg
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = TestServerCertificateOrgUnit
organizationalUnitName_max = 64
commonName = Common Name (eg, YOUR name)
commonName_max = 64
【讨论】:
以上是关于获取 MongooseServerSelectionError: Hostname/IP does not match certificate's altnames: IP: xxx.xx.xx.xx的主要内容,如果未能解决你的问题,请参考以下文章