'cannot read certificate file: /root/ssl/mongodb.pem MongoDB SSL ISSUE

I am unable to restart my mongodb service. On checking the logs at /var/log/mongodb/mongod.log I get the following error : 

cannot read certificate file: /root/ssl/mongodb.pem error:0200100D:system library:fopen:Permission denied
2019-11-23T17:04:27.679+0000 F  CONTROL  [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.

My /etc/mongod.conf appears like : 

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  tls:
      mode: requireTLS
      certificateKeyFile: /root/ssl/mongodb.pem
# how the process runs
processManagement:
  timeZoneInfo: /usr/share/zoneinfo

#security:

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

The permission for /root/ssl/ folder is : 

-rw-rw-r-- 1 mongodb mongodb 1354 Nov 23 16:22 mongodb.crt
-rw-rw-r-- 1 mongodb mongodb 1082 Nov 23 16:22 mongodb.csr
-rw-rw-r-- 1 mongodb mongodb 1679 Nov 23 16:21 mongodb.key
-rw-rw-rw- 1 mongodb mongodb 3033 Nov 23 16:22 mongodb.pem
-rw-rw-r-- 1 mongodb mongodb 1751 Nov 23 16:20 rootCA.key
-rw-rw-r-- 1 mongodb mongodb 1472 Nov 23 16:21 rootCA.pem
-rw-rw-r-- 1 mongodb mongodb   17 Nov 23 16:22 rootCA.srl

Ubuntu 16.04 LTS
MongoDB : 4.2
mongodbssl


Solution 1:[1]

the folder root usually have the following permissions:

drwx------    5 root root  4096 Nov 25 15:32 root/

which means the user mongodb cannot access it in the first place.

my advice is to move the files in the /root/ssl folder to /etc/ssl/mongodb/ and update the mongod.conf file accordingly.

Solution 2:[2]

I've had this same problem and was confused because they expect 1 single file.

As you can see you link .pem but not the private key.

Just concatenate them cat priv.key >> cert.pem for me it started working right away.

Check this detailed tutorial.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ouss
Solution 2 Minsky

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

Solving sslv3 alert handshake failure when trying to use a client certificate

Nginx the event was not signaled for 5s

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)?

tls unsigned certificate when using terraform

Library not loaded: /opt/local/lib/libssl.1.0.0.dylib (LoadError)

SSL certificate error for IE users only

Mongodb SSL - unable to get issuer certificate

Where can I find the WAMP error log?

How to convert certificate from PEM to JKS?

CondaHTTPError: HTTP 000 CONNECTION FAILED for url - Anaconda

Getting Chrome to accept self-signed localhost certificate

"ssl module in Python is not available" when installing package with pip3