Assuming you have SSL/TLS certificate and private key, if not read how to generate one for free. All examples below for case when certificate, chain and private key at /etc/nginx/ssl/ directory.
Get one from here, or copy-paste from below to /etc/nginx/ssl/ca.crt:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Note: new line "\n" at the end of the file is important
Append let's encrypt chain:
# At /etc/nginx/ssl/ directory
# cd /etc/nginx/ssl/
cat chain.pem >> ca.crt# Go to folder with certificates
# for example: /etc/nginx/ssl/
cat privkey.pem cert.pem > mongodb.pemVerify:
openssl verify -CAfile ca.crt mongodb.pem# Move concatenated cert & chain to
# mongodb owned directory,
# for example to: /data/mongo/
mv /etc/nginx/ssl/mongodb.pem /data/mongo/
mv /etc/nginx/ssl/ca.crt /data/mongo/
# Secure files:
chown mongodb:mongodb /data/mongo/mongodb.pem
chmod 400 /data/mongo/mongodb.pem
chown mongodb:mongodb /data/mongo/ca.crt
chmod 400 /data/mongo/ca.crtAssuming main mongo configuration at /etc/mongod.conf:
# nano /etc/mongod.conf
net:
ssl:
mode: requireSSL
PEMKeyFile: /data/mongo/mongodb.pem
CAFile: /data/mongo/ca.crtNote: same can be accomplished with mongod command flags:
mongod --sslMode requireSSL --sslPEMKeyFile <pem>Check logs for errors:
tail -n 50 -f /var/log/mongodb/mongod.log
# ctrl + c to exit tail commandmongo mongodb://[hostname]:[PORT]/ --ssl --sslPEMKeyFile=/etc/nginx/ssl/mongodb.pem// Note: File "mongodb.pem" must accessible
// make sure parent folder and file has 404 or higher permissions
const fs = require('fs');
MongoClient.connect('mongodb://[hostname]:[PORT]?ssl=true', {
ssl: true,
sslKey: fs.readFileSync('/path/to/mongodb.pem'),
sslCert: fs.readFileSync('/path/to/mongodb.pem'),
sslValidate: true
}, (mongoErr, db) => {
/* .... */
});- gist by @leommoore
- Read official mongodb reference for more info.