Wondering if anyone else has had this issue, i’m running mongodb V6.0.4 in replicate cluster and using X509 as the auth. The issue i have is in the graylog conf i cant workout what the uri should be.If i use mongosh command its connects to mongodb using the below command :
What happens when you set that as the mongodb_uri in server.conf ?
My understanding is this config parameter fully supports mongodb connection-string(s). I’d give that a try if you haven’t already. I unfortunately have never used mongo with certificates so don’t have anything more helpful to add.
Sorry for the delayed response.So if i use the mongodb_uri = "mongodb+srv://mongocluster.example.com/graylog?replicaSet=rs0&tlsCertificateKeyFile=/etc/mongod/ssl/mongodb.pem&tlsCAFile=/etc/mongod/ssl/ca-chain-bundle.cert.pem" it doesnt work because it doesnt like the quotes. If i do it without the quotes graylog doesn’t recognise the tls commands. Not sure if graylog is not capable of using tls command in uri.
I just tried this myself and can confirm it does not work. Graylog server complains it does not support a “tlscertificatekeyfile” argument in the mongodb_uri and MongoDB logs say that no certificate is being provided when Graylog attempts to connect.
I think joschi’s response is just outdated, as there have been several major versions of both softwares since he said that. Unless @drewmiranda-gl you can play around with it and figure it out, I’m going to either bump that existing FR or make a new one and just reference it.
While setting up tls encryption between graylog and mongodb we also saw the behavior described by william. We use now SCRAM authentication with the option allowConnectionsWithoutCertificates: true on MongoDB side and tls=true in the graylog server.conf.
Oh very interesting… So the traffic is encrypted by TLS but authenticated with SCRAM instead of PKI. I’m not very familiar with SCRAM implementation, but I imagine both client (Graylog) and server (MongoDB) have to support it correct? Was there any config necessary to set this up on the Graylog side other than supplying the MongoDB username and password?
Also, what versions of MongoDB and Graylog have you been able to implement this with?
Well, apparently graylog supports that way of authentication. We only needed to provide the credentials in the mongodb_uri configuration option.
That is running with graylog-server 5.0 and percona mongodb server 6.0.
Awesome, thanks for this workaround! Though it still hasn’t solved the ask for x.509 certificate support, I think it’s still a valid solution because it offers encryption which is all we’re really trying to do here.
From my understanding SCRAM is for user/password authentication which is default for mongodb and is not tls. What i was trying to do was full tls with x509 authentication.
Right, I understand. SCRAM isn’t a replacement for certificates by any means. I was just saying it’s a decent alternative solution that still allows one to use TLS for the Graylog ↔ MongoDB connection.
Unfortunately I can’t speak to if/when TLS will be implemented into the MongoDB connection, but yes for the time being it looks like SCRAM is the next-best solution.
