LetsEncrypt SSL Certificate Validation Failed with MongoDB

Question

A little background...my certificate is a LetsEncrypt.org SSL certificate issued with Certbot. I'm running Nginx 1.12.2, and I'm able to properly access my website using https:// so I believe that portion is configured properly. My web server is running Ubuntu 16.04 and MongoDB 3.6.3.

I have tried many configurations and while I can connect to my MongoDB just fine using Compass (the official MongoDB GUI) without the SSL option, attempts to connect with SSL result in a Could not connect to MongoDB on the provided host and port error message. Running mongo -ssl --sslPEMKeyFile /etc/ssl/mongo.pem on my server results in the following error:

MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2018-06-12T16:51:10.756+0000 E NETWORK  [thread1] SSL peer certificate validation failed: unable to get local issuer certificate
2018-06-12T16:51:10.757+0000 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get local issuer certificate :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed

My /var/log/mongodb/mongod.log shows the following which corresponds to the error above:

2018-06-12T16:51:10.755+0000 I NETWORK  [listener] connection accepted from 127.0.0.1:47792 #8 (2 connections now open)
2018-06-12T16:51:10.757+0000 I NETWORK  [conn8] end connection 127.0.0.1:47792 (1 connection now open)

My /etc/mongod.conf contains the following (I've commented out the CAFile parameter as I've read this is optional for now [source: https://stackoverflow.com/a/33926129/2969615 ]; note that I get mongo.pem: OK when running the openssl verify -CAfile /etc/ca.pem /etc/mongo.pem command, so I believe mongo.pem is properly set up):

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongo.pem
    # CAFile: /etc/ssl/ca.pem

I've created my mongo.pem file by referring to the following: https://serverfault.com/a/878457 ...I have tried the certificate in the instructions as well as both X3 intermediate certificates available at https://letsencrypt.org/certificates/ to no avail.

Any help would be greatly appreciated.

Answer 1

Very late to the party, but just in case it does help someone. I am running mongodb inside docker with the official image from mongo and compass from another docker image. For the server I use:

docker run -it --name data.domain.com --network docker_network -v /path/to/ssl:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem 

• fullchain-key.pem is 'cat fullchain.pem privkey.pem > fullchain-key.pem'
• docker name or server name must match certificate name

For Compass I use:

The server has it's own certificate and compass as well.