我已经建立并运行了3个mongodb复制体系结构。当我将TSL添加到/ etc / mongod conf文件mongod时,它立即崩溃并且不向mongo日志写入任何内容。我将包含所有证书和密钥的pem文件放在/etc/ssl/mongo.pem中,密钥位于文件底部。我在pem文件上做了chmod 600。我先将TSL添加到主要数据库,然后停止和启动mongod。我的mongod TLS配置:
net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongo.pem
security:
keyFile: /opt/mongod/keyfile
启动时出现的错误:
ec2-user@ip-10-0-16-140 log]$ sudo service mongod start
Starting mongod (via systemctl): Job for mongod.service failed because the control process exited with error code. See "systemctl status mongod.service" and "journalctl -xe" for details.
[FAILED]
状态呼叫返回:
[ec2-user@ip-10-0-16-140 ~]$ systemctl status mongod.service
● mongod.service - SYSV: Mongo is a scalable, document-oriented database.
Loaded: loaded (/etc/rc.d/init.d/mongod; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2020-02-28 00:43:51 UTC; 17s ago
Docs: man:systemd-sysv-generator(8)
Process: 18327 ExecStop=/etc/rc.d/init.d/mongod stop (code=exited, status=0/SUCCESS)
Process: 18548 ExecStart=/etc/rc.d/init.d/mongod start (code=exited, status=1/FAILURE)
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Starting SYSV: Mongo is a scalable, document-oriented database....
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal runuser[18559]: pam_unix(runuser:session): session opened for user mongod by (uid=0)
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal runuser[18559]: pam_unix(runuser:session): session closed for user mongod
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal mongod[18548]: Starting mongod: [FAILED]
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: mongod.service: control process exited, code=exited status=1
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Failed to start SYSV: Mongo is a scalable, document-oriented database..
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Unit mongod.service entered failed state.
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: mongod.service failed.
[ec2-user@ip-10-0-16-140 ~]$ journalctl -xe
Feb 28 00:42:13 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18523]: pam_unix(sudo:session): session closed for user root
Feb 28 00:42:27 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18525]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/vi /etc/mongo.pem
Feb 28 00:42:27 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18525]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Feb 28 00:42:31 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18525]: pam_unix(sudo:session): session closed for user root
Feb 28 00:42:38 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18527]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/vi /etc/ssl/mongo.pem
Feb 28 00:42:38 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18527]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Feb 28 00:43:38 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18527]: pam_unix(sudo:session): session closed for user root
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18529]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/sbin/service mongod start
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18529]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Starting SYSV: Mongo is a scalable, document-oriented database....
-- Subject: Unit mongod.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit mongod.service has begun starting up.
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal runuser[18559]: pam_unix(runuser:session): session opened for user mongod by (uid=0)
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal runuser[18559]: pam_unix(runuser:session): session closed for user mongod
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal mongod[18548]: Starting mongod: [FAILED]
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: mongod.service: control process exited, code=exited status=1
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Failed to start SYSV: Mongo is a scalable, document-oriented database..
-- Subject: Unit mongod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit mongod.service has failed.
--
-- The result is failed.
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: Unit mongod.service entered failed state.
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal systemd[1]: mongod.service failed.
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal sudo[18529]: pam_unix(sudo:session): session closed for user root
Feb 28 00:43:51 ip-10-0-16-140.us-gov-east-1.compute.internal dhclient[2603]: XMT: Solicit on eth0, interval 113300ms.
答案 0 :(得分:0)
您的mongodb.pem文件可能有问题。为了进行测试,您可以创建一个自签名证书和密钥,如下所示:
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
然后在PEM文件上设置权限,您可以使用
chmod 600 mongodb.pem
为mongod实例考虑以下配置文件:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: 0.0.0.0
port: 27017
注意:绑定0.0.0.0的IP不是最佳实践,但它是一个很好的起点
另外,您可能会在/var/log/mongodb/mongod.log中找到日志作为默认路径