use x509 auth for replicas

rglover · rglover · commit bf432d3c2f75 · 2025-05-07T15:46:22.000-05:00
diff --git a/README.md b/README.md
@@ -297,7 +297,7 @@ The monitoring script sets up email alerts and a monitoring endpoint for your Mo
 
 ## Managing Replica Sets
 
-If you're setting up a replica set with multiple nodes, you'll need to add secondary nodes to the replica set.
+This deployment uses x509 certificate authentication for replica set members, providing enhanced security compared to the traditional keyFile authentication method.
 
 1. **Set up secondary nodes**:
 
@@ -311,17 +311,39 @@ If you're setting up a replica set with multiple nodes, you'll need to add secon
    sudo mkdir -p /etc/ssl/mongodb
    sudo cp /path/to/your/certificate.pem /etc/ssl/mongodb/certificate.pem
    sudo cp /path/to/your/ca_certificate.pem /etc/ssl/mongodb/certificate_authority.pem
+   sudo cp /path/to/your/replicas.pem /etc/ssl/mongodb/replicas.pem
    sudo chmod 600 /etc/ssl/mongodb/certificate.pem
    sudo chmod 600 /etc/ssl/mongodb/certificate_authority.pem
+   sudo chmod 600 /etc/ssl/mongodb/replicas.pem
    sudo chown mongodb:mongodb /etc/ssl/mongodb/certificate.pem
    sudo chown mongodb:mongodb /etc/ssl/mongodb/certificate_authority.pem
+   sudo chown mongodb:mongodb /etc/ssl/mongodb/replicas.pem
    
    # Configure TLS and set up monitoring
    ./provision_ssl.sh
    ./monitoring.sh secondary-node-domain.com
    ```
 
    The `provision_ssl.sh` script will automatically get the domain name from your config.json file and use it to configure the replica set.
+   
+   **Note about x509 Authentication**: This deployment uses x509 certificate authentication for replica set members instead of the traditional keyFile method. The x509 certificates provide stronger security and are more flexible for certificate rotation. 
+   
+   The replica certificate should be placed at `/etc/ssl/mongodb/replicas.pem` on each node. This file must contain both the certificate and its private key in PEM format, similar to the server certificate. The certificate should be signed by the same CA as the server certificate.
+   
+   Example of generating a replica certificate:
+   ```bash
+   # Generate private key
+   openssl genrsa -out replicas.key 2048
+   
+   # Generate CSR (Certificate Signing Request)
+   openssl req -new -key replicas.key -out replicas.csr -subj "/CN=mongodb-replicas"
+   
+   # Sign with your CA
+   openssl x509 -req -in replicas.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out replicas.crt -days 7300 -sha256
+   
+   # Combine certificate and key into a single PEM file
+   cat replicas.crt replicas.key > replicas.pem
+   ```
 
 2. **Add secondary nodes to the replica set**:
 
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -54,9 +54,9 @@ if [ -z "$MONGO_PORT" ] || [ "$MONGO_PORT" == "null" ]; then
 fi
 MONGO_VERSION=8.0
 MONGO_CONF="/etc/mongod.conf"
-MONGO_KEYFILE="/etc/mongo-keyfile"
 LOG_FILE="/var/log/mongodb/mongod.log"
 BACKUP_SCRIPT="/usr/local/bin/mongo_backup.sh"
+REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
 
 # NOTE: Install MongoDB 8.0.
 curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg --dearmor
@@ -71,12 +71,9 @@ echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-8.0.gp
 sudo apt update
 sudo apt install -y mongodb-org
 
-# NOTE: Create Mongo keyfile if missing.
-if [ ! -f "$MONGO_KEYFILE" ]; then
-  echo "$REPLICA_SET_KEY" > "$MONGO_KEYFILE"
-  chmod 400 "$MONGO_KEYFILE"
-  chown mongodb:mongodb "$MONGO_KEYFILE"
-fi
+# NOTE: We'll use x509 certificates for internal authentication instead of keyFile
+echo "MongoDB will use x509 certificates for internal authentication"
+echo "Make sure to place your replica certificate at $REPLICA_CERT"
 
 # NOTE: First create a MongoDB config without authentication and without replication
 cat <<EOF | sudo tee $MONGO_CONF
@@ -142,7 +139,6 @@ net:
   bindIp: 127.0.0.1
 security:
   authorization: enabled
-  keyFile: $MONGO_KEYFILE
 EOF
 
 # Restart MongoDB with authentication enabled
@@ -351,5 +347,6 @@ echo "Next steps:"
 echo "1. Place your private CA certificates at:"
 echo "   - /etc/ssl/mongodb/certificate.pem"
 echo "   - /etc/ssl/mongodb/certificate_authority.pem"
+echo "   - /etc/ssl/mongodb/replicas.pem (for x509 authentication between replica set members)"
 echo "2. Run ./provision_ssl.sh to configure MongoDB to use the certificates."
 echo "3. Run ./monitoring.sh $DOMAIN to set up monitoring and alerts."
diff --git a/provision_ssl.sh b/provision_ssl.sh
@@ -50,7 +50,16 @@ if [ -f "$MONGO_CONF" ]; then
     if grep -q "net:" "$MONGO_CONF" && ! grep -q "  tls:" "$MONGO_CONF"; then
       # Add TLS configuration under existing net section (requiring client certificates)
       echo "Adding TLS configuration to existing net section..."
-      sudo sed -i '/net:/a\  tls:\n    mode: requireTLS\n    certificateKeyFile: '"$CERT_FILE"'\n    CAFile: '"$CA_FILE"'' "$MONGO_CONF"
+      
+      # Check if replica certificate exists
+      REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
+      if [ -f "$REPLICA_CERT" ]; then
+        echo "Using replica certificate for x509 authentication..."
+        sudo sed -i '/net:/a\  tls:\n    mode: requireTLS\n    certificateKeyFile: '"$CERT_FILE"'\n    CAFile: '"$CA_FILE"'\n    clusterFile: '"$REPLICA_CERT"'' "$MONGO_CONF"
+      else
+        echo "Replica certificate not found, using standard TLS configuration..."
+        sudo sed -i '/net:/a\  tls:\n    mode: requireTLS\n    certificateKeyFile: '"$CERT_FILE"'\n    CAFile: '"$CA_FILE"'' "$MONGO_CONF"
+      fi
       
       # Update bindIp to listen on all interfaces
       echo "Updating bindIp to listen on all interfaces..."
@@ -61,6 +70,17 @@ if [ -f "$MONGO_CONF" ]; then
       sudo sed -i '/tls:/,/[a-z]/ s|certificateKeyFile:.*|certificateKeyFile: '"$CERT_FILE"'|' "$MONGO_CONF"
       sudo sed -i '/tls:/,/[a-z]/ s|CAFile:.*|CAFile: '"$CA_FILE"'|' "$MONGO_CONF"
       
+      # Check if replica certificate exists
+      REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
+      if [ -f "$REPLICA_CERT" ]; then
+        echo "Using replica certificate for x509 authentication..."
+        if grep -q "clusterFile:" "$MONGO_CONF"; then
+          sudo sed -i '/clusterFile:/c\    clusterFile: '"$REPLICA_CERT"'' "$MONGO_CONF"
+        else
+          sudo sed -i '/CAFile:/a\    clusterFile: '"$REPLICA_CERT"'' "$MONGO_CONF"
+        fi
+      fi
+      
       # Remove any relaxed security settings if they exist
       sudo sed -i '/allowConnectionsWithoutCertificates:/d' "$MONGO_CONF"
       sudo sed -i '/allowInvalidHostnames:/d' "$MONGO_CONF"
@@ -72,7 +92,16 @@ if [ -f "$MONGO_CONF" ]; then
     elif ! grep -q "net:" "$MONGO_CONF"; then
       # Add net section with TLS configuration
       echo "Adding new net section with TLS configuration..."
-      echo -e "\nnet:\n  bindIp: 0.0.0.0\n  tls:\n    mode: requireTLS\n    certificateKeyFile: $CERT_FILE\n    CAFile: $CA_FILE" | sudo tee -a "$MONGO_CONF"
+      
+      # Check if replica certificate exists
+      REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
+      if [ -f "$REPLICA_CERT" ]; then
+        echo "Using replica certificate for x509 authentication..."
+        echo -e "\nnet:\n  bindIp: 0.0.0.0\n  tls:\n    mode: requireTLS\n    certificateKeyFile: $CERT_FILE\n    CAFile: $CA_FILE\n    clusterFile: $REPLICA_CERT" | sudo tee -a "$MONGO_CONF"
+      else
+        echo "Replica certificate not found, using standard TLS configuration..."
+        echo -e "\nnet:\n  bindIp: 0.0.0.0\n  tls:\n    mode: requireTLS\n    certificateKeyFile: $CERT_FILE\n    CAFile: $CA_FILE" | sudo tee -a "$MONGO_CONF"
+      fi
     fi
     
     # Remove any old SSL configuration if it exists
@@ -82,6 +111,43 @@ if [ -f "$MONGO_CONF" ]; then
     fi
   fi
   
+  # Check for replica certificate
+  REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
+  if [ ! -f "$REPLICA_CERT" ]; then
+    echo "⚠️ WARNING: Replica certificate not found at $REPLICA_CERT"
+    echo "Please ensure the replica certificate is placed at $REPLICA_CERT before running this script."
+    echo "This certificate is required for x509 authentication between replica set members."
+  else
+    echo "✅ Replica certificate found at $REPLICA_CERT"
+    # Ensure proper permissions
+    sudo chmod 600 "$REPLICA_CERT"
+    sudo chown mongodb:mongodb "$REPLICA_CERT"
+  fi
+  
+  # Configure x509 authentication for replica set members
+  REPLICA_CERT="/etc/ssl/mongodb/replicas.pem"
+  if [ -f "$REPLICA_CERT" ]; then
+    echo "Configuring x509 authentication for replica set members..."
+    
+    # Check if security section exists
+    if grep -q "security:" "$MONGO_CONF"; then
+      # Add x509 authentication to existing security section
+      if ! grep -q "clusterAuthMode:" "$MONGO_CONF"; then
+        sudo sed -i '/security:/a\  clusterAuthMode: x509' "$MONGO_CONF"
+      else
+        sudo sed -i '/clusterAuthMode:/c\  clusterAuthMode: x509' "$MONGO_CONF"
+      fi
+    else
+      # Add security section with x509 authentication
+      echo -e "\nsecurity:\n  authorization: enabled\n  clusterAuthMode: x509" | sudo tee -a "$MONGO_CONF"
+    fi
+    
+    echo "✅ x509 authentication configured for replica set members"
+  else
+    echo "⚠️ WARNING: Replica certificate not found at $REPLICA_CERT"
+    echo "x509 authentication for replica set members will not be configured."
+  fi
+  
   # Add or update replication section
   if grep -q "replication:" "$MONGO_CONF"; then
     echo "Updating existing replication configuration..."
