Mongo db uri in graylog with X509 cert


Wondering if anyone else has had this issue, i’m running mongodb V6.0.4 in replicate cluster and using X509 as the auth. The issue i have is in the graylog conf i cant workout what the uri should be.If i use mongosh command its connects to mongodb using the below command :

 mongosh "mongodb+srv://"

the quotes are required for it to see all the options but i cant use them in the graylog.conf.I have also added


in /etc/default/graylog-server and add the ca cert to keystore.

Best regards

1 Like

What happens when you set that as the mongodb_uri in server.conf ?

My understanding is this config parameter fully supports mongodb connection-string(s). I’d give that a try if you haven’t already. I unfortunately have never used mongo with certificates so don’t have anything more helpful to add.

Sorry for the delayed response.So if i use the mongodb_uri = "mongodb+srv://" it doesnt work because it doesnt like the quotes. If i do it without the quotes graylog doesn’t recognise the tls commands. Not sure if graylog is not capable of using tls command in uri.

Best i could do is

mongodb_uri = mongodb+srv://

but the issue is it requires the tlscerts to authenticate.

I found an older issue that talks about this: add certificate authentication to mongod · Issue #4472 · Graylog2/graylog2-server · GitHub

This suggests you can use TLS but you have to:

  1. import the cert into the java key store (JKS) used by graylog (See Java Key Store section of this blog post).
  2. Add ?tls=true to the connection uri in graylog’s server.conf

Note that the ?ssl and ?tls are the same and are interchangeable. See

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

I just tried this myself and can confirm it does not work. Graylog server complains it does not support a “tlscertificatekeyfile” argument in the mongodb_uri and MongoDB logs say that no certificate is being provided when Graylog attempts to connect.


mongodb_uri = mongodb://CN =


2023-06-30T00:16:16.255Z WARN  [uri] Connection string contains unsupported option 'tlscertificatekeyfile'.

MongoDB log:

{"t":{"$date":"2023-06-30T00:17:08.290+00:00"},"s":"E",  "c":"NETWORK",  "id":23255,   "ctx":"conn123","msg":"No SSL certificate provided by peer; connection rejected"}

I think joschi’s response is just outdated, as there have been several major versions of both softwares since he said that. Unless @drewmiranda-gl you can play around with it and figure it out, I’m going to either bump that existing FR or make a new one and just reference it.

1 Like

While setting up tls encryption between graylog and mongodb we also saw the behavior described by william. We use now SCRAM authentication with the option allowConnectionsWithoutCertificates: true on MongoDB side and tls=true in the graylog server.conf.

Oh very interesting… So the traffic is encrypted by TLS but authenticated with SCRAM instead of PKI. I’m not very familiar with SCRAM implementation, but I imagine both client (Graylog) and server (MongoDB) have to support it correct? Was there any config necessary to set this up on the Graylog side other than supplying the MongoDB username and password?

Also, what versions of MongoDB and Graylog have you been able to implement this with?

Well, apparently graylog supports that way of authentication. We only needed to provide the credentials in the mongodb_uri configuration option.
That is running with graylog-server 5.0 and percona mongodb server 6.0.

1 Like

Awesome, thanks for this workaround! Though it still hasn’t solved the ask for x.509 certificate support, I think it’s still a valid solution because it offers encryption which is all we’re really trying to do here.

From my understanding SCRAM is for user/password authentication which is default for mongodb and is not tls. What i was trying to do was full tls with x509 authentication.

Right, I understand. SCRAM isn’t a replacement for certificates by any means. I was just saying it’s a decent alternative solution that still allows one to use TLS for the Graylog ↔ MongoDB connection.

Sorry ttakeen a while too respond. i’m guessing full tls X509 wont get implemented and have to use SCRAM?

Unfortunately I can’t speak to if/when TLS will be implemented into the MongoDB connection, but yes for the time being it looks like SCRAM is the next-best solution.