Mongo db uri in graylog with X509 cert

Hi

Wondering if anyone else has had this issue, i’m running mongodb V6.0.4 in replicate cluster and using X509 as the auth. The issue i have is in the graylog conf i cant workout what the uri should be.If i use mongosh command its connects to mongodb using the below command :

 mongosh "mongodb+srv://mongocluster.example.com/graylog?replicaSet=rs0&tlsCertificateKeyFile=/etc/mongod/ssl/mongodb.pem&tlsCAFile=/etc/mongod/ssl/ca-chain-bundle.cert.pem"

the quotes are required for it to see all the options but i cant use them in the graylog.conf.I have also added

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts"

in /etc/default/graylog-server and add the ca cert to keystore.

Best regards

What happens when you set that as the mongodb_uri in server.conf ?

My understanding is this config parameter fully supports mongodb connection-string(s). I’d give that a try if you haven’t already. I unfortunately have never used mongo with certificates so don’t have anything more helpful to add.

Sorry for the delayed response.So if i use the mongodb_uri = "mongodb+srv://mongocluster.example.com/graylog?replicaSet=rs0&tlsCertificateKeyFile=/etc/mongod/ssl/mongodb.pem&tlsCAFile=/etc/mongod/ssl/ca-chain-bundle.cert.pem" it doesnt work because it doesnt like the quotes. If i do it without the quotes graylog doesn’t recognise the tls commands. Not sure if graylog is not capable of using tls command in uri.

Best i could do is

mongodb_uri = mongodb+srv://mongocluster.example.com/graylog?replicaSet=rs0

but the issue is it requires the tlscerts to authenticate.

I found an older issue that talks about this: add certificate authentication to mongod · Issue #4472 · Graylog2/graylog2-server · GitHub

This suggests you can use TLS but you have to:

1. import the cert into the java key store (JKS) used by graylog (See Java Key Store section of this blog post).
2. Add ?tls=true to the connection uri in graylog’s server.conf

Note that the ?ssl and ?tls are the same and are interchangeable. See https://www.mongodb.com/docs/manual/reference/connection-string/#connection-options

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

I just tried this myself and can confirm it does not work. Graylog server complains it does not support a “tlscertificatekeyfile” argument in the mongodb_uri and MongoDB logs say that no certificate is being provided when Graylog attempts to connect.

server.conf:

mongodb_uri = mongodb://CN = example.com@mongodb.example.com/graylog?tlsCertificateKeyFile=/etc/graylog/ssl/graylog-cert.pem&authMechanism=MONGODB-X509&tls=true

Graylog:

2023-06-30T00:16:16.255Z WARN  [uri] Connection string contains unsupported option 'tlscertificatekeyfile'.

MongoDB log:

{"t":{"$date":"2023-06-30T00:17:08.290+00:00"},"s":"E",  "c":"NETWORK",  "id":23255,   "ctx":"conn123","msg":"No SSL certificate provided by peer; connection rejected"}

I think joschi’s response is just outdated, as there have been several major versions of both softwares since he said that. Unless @drewmiranda-gl you can play around with it and figure it out, I’m going to either bump that existing FR or make a new one and just reference it.

While setting up tls encryption between graylog and mongodb we also saw the behavior described by william. We use now SCRAM authentication with the option allowConnectionsWithoutCertificates: true on MongoDB side and tls=true in the graylog server.conf.

Oh very interesting… So the traffic is encrypted by TLS but authenticated with SCRAM instead of PKI. I’m not very familiar with SCRAM implementation, but I imagine both client (Graylog) and server (MongoDB) have to support it correct? Was there any config necessary to set this up on the Graylog side other than supplying the MongoDB username and password?

Also, what versions of MongoDB and Graylog have you been able to implement this with?

Well, apparently graylog supports that way of authentication. We only needed to provide the credentials in the mongodb_uri configuration option.
That is running with graylog-server 5.0 and percona mongodb server 6.0.

Awesome, thanks for this workaround! Though it still hasn’t solved the ask for x.509 certificate support, I think it’s still a valid solution because it offers encryption which is all we’re really trying to do here.

From my understanding SCRAM is for user/password authentication which is default for mongodb and is not tls. What i was trying to do was full tls with x509 authentication.

Right, I understand. SCRAM isn’t a replacement for certificates by any means. I was just saying it’s a decent alternative solution that still allows one to use TLS for the Graylog ↔ MongoDB connection.

Sorry ttakeen a while too respond. i’m guessing full tls X509 wont get implemented and have to use SCRAM?

Unfortunately I can’t speak to if/when TLS will be implemented into the MongoDB connection, but yes for the time being it looks like SCRAM is the next-best solution.

Thought I would revive this topic – TLS seems to be working (both transport and auth) with graylog community 5.* and mongodb 7.*

I have a 3-node mongodb cluster. I’ve generated certs for each host involved – all 3 mongodb plus the graylog hosts that are mongodb clients – and these are signed by the same fake CA. (Real certs should work of course :-D)

The /etc/mongod.conf network and security config looks like this

net:
    port: 27017
    bindIp: node0.fqdn
    tls:
        mode: requireTLS
        certificateKeyFile: /path/to/node0-keypair.pem
        CAFile: /path/to/my-ca.pem
        allowConnectionsWithoutCertificates: false

security:
    authorization: enabled
    clusterAuthMode: x509

(NOTE: one fiddly part is the certificateKeyFile setting. It requires a concatenated key file + cert file. That’s why I call it “keypair” here.)

Also have a replica set defined

replication:
    replSetName: graylog

Start up the 3 nodes, and you can connect with the mongosh command line something like this

mongosh --host=nonename.fqdn --tls --tlsCertificateKeyFile=/path/to/nodename-keypair.pem --tlsCAFile=/path/to/my-ca.pem --authenticationMechanism=MONGODB-X509

With this connection you can initialize the replicaset.

rs.initiate( {
    _id : "graylog", 
    members: [ 
        { _id: 1, host: "node0.fqdn:27017" }, 
        { _id: 2, host: "node1.fqdn:27017" }, 
        { _id: 3, host: "node2.fqdn:27017" } 
    ]
} )

On the graylog side, you can’t point to the individual cert and CA files. You have to use the JVM’s keystore and truststore. Here’s how I do that.

Create a java keystore containing the cert for the graylog host. I’ll call this “graylog-node-keystore.jks”

Create a java truststore containing the certificate authority used to sign your certs – what I call “fake CA” above. This also needs to include other certs you want to trust – you can start with the default truststore from whatever JVM you’re using. I’ll call this “my-truststore.jks”

Configure graylog to use the keystore and truststore – one way is to set JVM startup arguments. I do this in /etc/sysconfig/graylog-server

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.keyStore=/path/to/graylog-node-keystore.jks"
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStore=/path/to/my-truststore.jks"

If you follow standard practice and have passwords on your keystore and truststore you’ll need to specify those as well.

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"

Then in /etc/graylog/server/server.conf the mongodb_uri looks like this

mongodb_uri = mongodb://node0.fqdn:27017,node1.fqdn:27017,node2.fqdn:27017/graylog?replicaSet=graylog&tls=true&authMechanism=MONGODB-X509

First time startup of graylog it should connect and initialize the mongdb database, and you are up and running.

So this appears to be working. If anyone else is interested would be great to confirm. Thanks!