Cannot start with SSL

[coolgk]

If I start mongod with ssl enabled, docker-entrypoint.sh will always fail.

on line 106 of docker-entrypoint.sh: if "${mongo[@]}" 'admin' --eval 'quit(0)' &> /dev/null; then

ssl options should be added to the mongo command if the server is started with ssl

e.g. add --ssl --sslAllowInvalidCertificates
if "${mongo[@]}" --ssl --sslAllowInvalidCertificates 'admin' --eval 'quit(0)' &> /dev/null; then

image mongo:3.4

[kkdevenda]

I am also facing a similar issue. I am experimenting with mongod in docker swarm. When I deploy mongo services in swarm with a docker-compose.yml file with ssl enabled, the service will not start. Container starts with all the configurations but starts throwing error after it starts listening on the port and eventually shuts down.

The error is -
AssertionException handling request, closing client connection: The server is configured to only allow SSL connections

This error occurs only when deploying mongod as a service in the docker swarm. If I start mongod container from an image pulled from docker hub with the exact same configurations as in the service, it works fine.

I am not able to figure out the reason.

I have tried

Changing the port of mongod in docker service. Changing port gives a different error. error: mongod does not appear to have accepted connections quickly enough -- perhaps it had an error?

starting mongod with configurations from command line with command: attribute of docker-compose file.

starting mongod with configurations from a configuration file mounted inside the mongod container.

starting mongod with a configuration allowInvalidCertificates: true
starting mongod with bindIp: 127.0.0.1 and bindIp: 0.0.0.0

My configuration file looks like this -

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# Where and how to store data.
storage:
  dbPath: /data/db
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# how the process runs
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile

# network interfaces
net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /mongodb/ssl/cert.pem
    CAFile: /mongodb/ssl/ca.pem
    clusterFile: /mongodb/ssl/cert.pem
    allowConnectionsWithoutCertificates: true

  port: 37017
  #bindIp: 0.0.0.0  # Listen to local interface only, comment to listen on all interfaces.


security:
  clusterAuthMode: x509

setParameter:
   enableLocalhostAuthBypass: true

[thisismsreddy]

I am also facing the same issue
mongod.conf

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
#  dbPath: /var/lib/mongodb
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  #bindIp: 0.0.0.0

  ssl:
     mode: requireSSL
     PEMKeyFile: /etc/ssl/mongodb.pem
     allowConnectionsWithoutCertificates: true
     allowInvalidCertificates: true
     allowInvalidHostnames: true

setParameter:
  enableLocalhostAuthBypass: true

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

Dockerfile

FROM mongo
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \
    ssl-cert \
    && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN mkdir -p /etc/ssl
COPY mongodb.pem /etc/ssl
COPY mongod.conf /etc
RUN mkdir -p /var/lib/mongodb
CMD ["mongod", "-f", "/etc/mongod.conf"]

Error Logs

2017-04-11T10:38:58.131+0000 I CONTROL  [main] ***** SERVER RESTARTED *****
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] MongoDB starting : pid=15 port=27017 dbpath=/data/db 64-bit host=a352e3526354
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] db version v3.4.3
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] git version: f07437fb5a6cca07c10bafa78365456eb1d6d5e1
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1t  3 May 2016
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] modules: none
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] build environment:
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten]     distmod: debian81
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten]     distarch: x86_64
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2017-04-11T10:38:58.137+0000 I CONTROL  [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1", port: 27017, ssl: { PEMKeyFile: "/etc/ssl/mongodb.pem", allowConnectionsWithoutCertificates: true, allowInvalidCertificates: true, allowInvalidHostnames: true, mode: "requireSSL" } }, processManagement: { fork: true, pidFilePath: "/tmp/tmp.ffzGO1tLEK" }, setParameter: { enableLocalhostAuthBypass: "false" }, storage: { journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/proc/1/fd/1" } }
2017-04-11T10:38:58.140+0000 I STORAGE  [initandlisten] 
2017-04-11T10:38:58.140+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2017-04-11T10:38:58.140+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2017-04-11T10:38:58.140+0000 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=488M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] ** WARNING: No SSL certificate validation can be performed since no CA file has been provided
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] **          Please specify an sslCAFile parameter.
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-04-11T10:38:59.457+0000 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-04-11T10:38:59.458+0000 I CONTROL  [initandlisten] 
2017-04-11T10:38:59.800+0000 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db/diagnostic.data'
2017-04-11T10:39:00.268+0000 I INDEX    [initandlisten] build index on: admin.system.version properties: { v: 2, key: { version: 1 }, name: "incompatible_with_version_32", ns: "admin.system.version" }
2017-04-11T10:39:00.268+0000 I INDEX    [initandlisten] 	 building index using bulk method; build may temporarily use up to 500 megabytes of RAM
2017-04-11T10:39:00.269+0000 I INDEX    [initandlisten] build index done.  scanned 0 total records. 0 secs
2017-04-11T10:39:00.270+0000 I COMMAND  [initandlisten] setting featureCompatibilityVersion to 3.4
child process started successfully, parent exiting
2017-04-11T10:39:00.271+0000 I NETWORK  [thread1] waiting for connections on port 27017 ssl
2017-04-11T10:39:00.301+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58496 #1 (1 connection now open)
2017-04-11T10:39:00.302+0000 I -        [conn1] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:00.304+0000 I -        [conn1] end connection 127.0.0.1:58496 (1 connection now open)
2017-04-11T10:39:01.335+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58498 #2 (1 connection now open)
2017-04-11T10:39:01.335+0000 I -        [conn2] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:01.337+0000 I -        [conn2] end connection 127.0.0.1:58498 (1 connection now open)
2017-04-11T10:39:02.368+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58500 #3 (1 connection now open)
2017-04-11T10:39:02.368+0000 I -        [conn3] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:02.371+0000 I -        [conn3] end connection 127.0.0.1:58500 (1 connection now open)
2017-04-11T10:39:03.402+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58502 #4 (1 connection now open)
2017-04-11T10:39:03.402+0000 I -        [conn4] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:03.405+0000 I -        [conn4] end connection 127.0.0.1:58502 (1 connection now open)
2017-04-11T10:39:04.436+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58504 #5 (1 connection now open)
2017-04-11T10:39:04.436+0000 I -        [conn5] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:04.438+0000 I -        [conn5] end connection 127.0.0.1:58504 (1 connection now open)
2017-04-11T10:39:05.470+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58506 #6 (1 connection now open)
2017-04-11T10:39:05.470+0000 I -        [conn6] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:05.473+0000 I -        [conn6] end connection 127.0.0.1:58506 (1 connection now open)
2017-04-11T10:39:06.504+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58508 #7 (1 connection now open)
2017-04-11T10:39:06.505+0000 I -        [conn7] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:06.507+0000 I -        [conn7] end connection 127.0.0.1:58508 (1 connection now open)
2017-04-11T10:39:07.538+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58510 #8 (1 connection now open)
2017-04-11T10:39:07.538+0000 I -        [conn8] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:07.541+0000 I -        [conn8] end connection 127.0.0.1:58510 (1 connection now open)
2017-04-11T10:39:08.572+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58512 #9 (1 connection now open)
2017-04-11T10:39:08.572+0000 I -        [conn9] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:08.574+0000 I -        [conn9] end connection 127.0.0.1:58512 (1 connection now open)
2017-04-11T10:39:09.605+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58514 #10 (1 connection now open)
2017-04-11T10:39:09.605+0000 I -        [conn10] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:09.608+0000 I -        [conn10] end connection 127.0.0.1:58514 (1 connection now open)
2017-04-11T10:39:10.639+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58516 #11 (1 connection now open)
2017-04-11T10:39:10.639+0000 I -        [conn11] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:10.642+0000 I -        [conn11] end connection 127.0.0.1:58516 (1 connection now open)
2017-04-11T10:39:11.673+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58518 #12 (1 connection now open)
2017-04-11T10:39:11.673+0000 I -        [conn12] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:11.675+0000 I -        [conn12] end connection 127.0.0.1:58518 (1 connection now open)
2017-04-11T10:39:12.707+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58520 #13 (1 connection now open)
2017-04-11T10:39:12.707+0000 I -        [conn13] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:12.709+0000 I -        [conn13] end connection 127.0.0.1:58520 (1 connection now open)
2017-04-11T10:39:13.740+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58522 #14 (1 connection now open)
2017-04-11T10:39:13.741+0000 I -        [conn14] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:13.743+0000 I -        [conn14] end connection 127.0.0.1:58522 (1 connection now open)
2017-04-11T10:39:14.775+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58524 #15 (1 connection now open)
2017-04-11T10:39:14.776+0000 I -        [conn15] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:14.778+0000 I -        [conn15] end connection 127.0.0.1:58524 (1 connection now open)
2017-04-11T10:39:15.809+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58526 #16 (1 connection now open)
2017-04-11T10:39:15.809+0000 I -        [conn16] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:15.811+0000 I -        [conn16] end connection 127.0.0.1:58526 (1 connection now open)
2017-04-11T10:39:16.842+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58528 #17 (1 connection now open)
2017-04-11T10:39:16.843+0000 I -        [conn17] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:16.845+0000 I -        [conn17] end connection 127.0.0.1:58528 (1 connection now open)
2017-04-11T10:39:17.876+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58530 #18 (1 connection now open)
2017-04-11T10:39:17.877+0000 I -        [conn18] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:17.879+0000 I -        [conn18] end connection 127.0.0.1:58530 (1 connection now open)
2017-04-11T10:39:18.910+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58532 #19 (1 connection now open)
2017-04-11T10:39:18.911+0000 I -        [conn19] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:18.913+0000 I -        [conn19] end connection 127.0.0.1:58532 (1 connection now open)
2017-04-11T10:39:19.944+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58534 #20 (1 connection now open)
2017-04-11T10:39:19.944+0000 I -        [conn20] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:19.947+0000 I -        [conn20] end connection 127.0.0.1:58534 (1 connection now open)
2017-04-11T10:39:20.978+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58536 #21 (1 connection now open)
2017-04-11T10:39:20.979+0000 I -        [conn21] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:20.982+0000 I -        [conn21] end connection 127.0.0.1:58536 (1 connection now open)
2017-04-11T10:39:22.014+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58538 #22 (1 connection now open)
2017-04-11T10:39:22.014+0000 I -        [conn22] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:22.016+0000 I -        [conn22] end connection 127.0.0.1:58538 (1 connection now open)
2017-04-11T10:39:23.047+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58540 #23 (1 connection now open)
2017-04-11T10:39:23.047+0000 I -        [conn23] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:23.049+0000 I -        [conn23] end connection 127.0.0.1:58540 (1 connection now open)
2017-04-11T10:39:24.081+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58542 #24 (1 connection now open)
2017-04-11T10:39:24.081+0000 I -        [conn24] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:24.083+0000 I -        [conn24] end connection 127.0.0.1:58542 (1 connection now open)
2017-04-11T10:39:25.114+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58544 #25 (1 connection now open)
2017-04-11T10:39:25.115+0000 I -        [conn25] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:25.117+0000 I -        [conn25] end connection 127.0.0.1:58544 (1 connection now open)
2017-04-11T10:39:26.148+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58546 #26 (1 connection now open)
2017-04-11T10:39:26.148+0000 I -        [conn26] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:26.150+0000 I -        [conn26] end connection 127.0.0.1:58546 (1 connection now open)
2017-04-11T10:39:27.181+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58548 #27 (1 connection now open)
2017-04-11T10:39:27.182+0000 I -        [conn27] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:27.184+0000 I -        [conn27] end connection 127.0.0.1:58548 (1 connection now open)
2017-04-11T10:39:28.215+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58550 #28 (1 connection now open)
2017-04-11T10:39:28.215+0000 I -        [conn28] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:28.218+0000 I -        [conn28] end connection 127.0.0.1:58550 (1 connection now open)
2017-04-11T10:39:29.249+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58552 #29 (1 connection now open)
2017-04-11T10:39:29.249+0000 I -        [conn29] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-11T10:39:29.251+0000 I -        [conn29] end connection 127.0.0.1:58552 (1 connection now open)
2017-04-11T10:39:30.282+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:58554 #30 (1 connection now open)
2017-04-11T10:39:30.283+0000 I -        [conn30] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections

error: mongod does not appear to have accepted connections quickly enough -- perhaps it had an error?

2017-04-11T10:39:30.285+0000 I -        [conn30] end connection 127.0.0.1:58554 (1 connection now open)

[yosifkit]

We added a fix in #167 to account for this; can you pull and see if the latest image works for you?

@kkdevenda and @thisismsreddy, unfortunately we don't yet have a good way to have the initdb.d/ additions from #145 work with a config file; You should be able to work around it by setting ENTRYPOINT [] and USER mongodb at the end of your Dockerfile since that is what the previous entrypoint script provided.

[thisismsreddy]

Hey @yosifkit It seems new Image fix this issue,It,s working fine for me , I've also tested with swarm service it's looking good.
thanks

[tianon]

Indeed, this was fixed about as good as it can be without parsing config files in #167. 👍

Thanks for confirming, @thisismsreddy ❤️