ensure that proper flags are passed after tls is enabled

ensure that order of ops is respected re: mongod.conf

Author: rglover

README.md

@@ -162,24 +162,83 @@ The provision_ssl script configures MongoDB to use pre-generated private CA cert
 
    Replace `/path/to/your/certificate.pem` and `/path/to/your/ca_certificate.pem` with the actual paths to your certificate files.
 
-2. **Run the TLS provisioning script**:
+2. **Generate a client certificate** (required for connecting to MongoDB):
+
+   You'll need to create a client certificate signed by the same CA that signed your server certificate. If you're using the certificate generation script from the repository, you can add a function to generate client certificates:
+
+   ```javascript
+   const generate_client_certificate = (client_name) => {
+     const ca_key = 'ca.key';
+     const ca_crt = 'ca.crt';
+     const client_key = `${client_name}.key`;
+     const client_csr = `${client_name}.csr`;
+     const client_crt = `${client_name}.crt`;
+     const client_pem = `${client_name}.pem`;
+     
+     // Generate client key
+     execSync(`openssl genrsa -out ${client_key} 2048`);
+     
+     // Generate CSR
+     execSync(`openssl req -new -key ${client_key} -out ${client_csr} -subj "/CN=${client_name}"`);
+     
+     // Sign with CA
+     execSync(`openssl x509 -req -in ${client_csr} -CA ${ca_crt} -CAkey ${ca_key} -CAcreateserial -out ${client_crt} -days 7300 -sha256`);
+     
+     // Create combined PEM file
+     const crtContent = fs.readFileSync(client_crt);
+     const keyContent = fs.readFileSync(client_key);
+     fs.writeFileSync(client_pem, Buffer.concat([crtContent, keyContent]));
+     
+     return client_pem;
+   };
+   ```
+
+3. **Run the TLS provisioning script**:
 
    ```bash
    ./provision_ssl.sh
    ```
 
-3. **What the provision_ssl script does**:
+4. **What the provision_ssl script does**:
    - Checks for the existence of the certificate files
    - Updates the MongoDB configuration to use TLS with proper settings
    - Configures MongoDB to allow connections from outside the server (bindIp: 0.0.0.0)
+   - Adds the replica set configuration
+   - Initializes the replica set using the domain name from config.json
    - Restarts MongoDB with the new TLS configuration
 
-3. **Verify TLS is working**:
+5. **Connecting to MongoDB with client certificates**:
+
+   After running provision_ssl.sh, you must use client certificates to connect:
+
+   ```bash
+   mongosh --host your-domain.com --port $MONGO_PORT --tls --tlsCAFile /etc/ssl/mongodb/certificate_authority.pem --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u admin -p your_password --authenticationDatabase admin
+   ```
+
+   Ensure the client certificate exists at `/etc/ssl/mongodb/client.pem`.
+
+   **For GUI tools like Studio 3T**:
+   
+   You'll need to configure the connection to use:
+   - TLS/SSL enabled
+   - CA file: `/etc/ssl/mongodb/certificate_authority.pem`
+   - Client certificate: Your generated client.pem file
+   - Authentication: Username/Password with admin database
 
-   The script will verify that MongoDB is running with TLS. You can also check manually:
+   **For application connections**:
+   
+   In your application code, you'll need to specify both the CA file and client certificate:
+   
+   ```
+   mongodb://admin:[email protected]:27017/?tls=true&tlsCAFile=/etc/ssl/mongodb/certificate_authority.pem&tlsCertificateKeyFile=/etc/ssl/mongodb/client.pem&authSource=admin
+   ```
+
+6. **Verify TLS is working**:
+
+   The script will attempt to verify that MongoDB is running with TLS. You can also check manually, but remember you'll need to use your client certificate:
 
    ```bash
-   sudo mongosh --host your-domain.com --port $MONGO_PORT --tls -u admin -p your_password --authenticationDatabase admin --eval "db.adminCommand({ getParameter: 1, tlsMode: 1 })"
+   mongosh --host your-domain.com --port $MONGO_PORT --tls --tlsCAFile /etc/ssl/mongodb/certificate_authority.pem --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u admin -p your_password --authenticationDatabase admin --eval "db.adminCommand({ getParameter: 1, tlsMode: 1 })"
    ```
 
    Replace `$MONGO_PORT` with the port you specified in config.json.
@@ -304,7 +363,7 @@ Example output:
   ],
   "tls_enabled": true,
   "replica_set": "rs0",
-  "connection_string": "mongodb://admin:[email protected]:27017,mdb2.example.com:27017/?tls=true&authSource=admin&replicaSet=rs0"
+  "connection_string": "mongodb://admin:[email protected]:27017,mdb2.example.com:27017/?tls=true&tlsCAFile=/etc/ssl/mongodb/certificate_authority.pem&tlsCertificateKeyFile=/etc/ssl/mongodb/client.pem&authSource=admin&replicaSet=rs0"
 }
 ```
 
@@ -315,10 +374,10 @@ For security best practices, you should regularly rotate the MongoDB admin passw
 1. **Connect to the primary node**:
 
    ```bash
-   mongosh --host your-domain.com --port $MONGO_PORT --tls -u admin -p current_password --authenticationDatabase admin
+   mongosh --host your-domain.com --port $MONGO_PORT --tls --tlsCAFile /etc/ssl/mongodb/certificate_authority.pem --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u admin -p current_password --authenticationDatabase admin
    ```
 
-   Replace `$MONGO_PORT` with the port you specified in config.json, and `current_password` with your current password.
+   Replace `$MONGO_PORT` with the port you specified in config.json and `current_password` with your current password.
 
 2. **Change the admin user's password**:
 
@@ -341,9 +400,9 @@ For security best practices, you should regularly rotate the MongoDB admin passw
 4. **Verify the new password**:
 
    ```bash
-   mongosh --host your-domain.com --port $MONGO_PORT --tls -u admin -p new_secure_password --authenticationDatabase admin --eval "db.adminCommand('ping')"
+   mongosh --host your-domain.com --port $MONGO_PORT --tls --tlsCAFile /etc/ssl/mongodb/certificate_authority.pem --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u admin -p new_secure_password --authenticationDatabase admin --eval "db.adminCommand('ping')"
    ```
-
+   
    You should see a successful response with `{ ok: 1 }`.
 
 5. **Password Rotation Schedule**:
@@ -408,7 +467,7 @@ If you encounter issues during the setup process, here are some common troublesh
 4. **Test MongoDB connection with TLS**:
 
    ```bash
-   sudo mongosh --host your-domain.com --port $MONGO_PORT --tls -u admin -p your_password --authenticationDatabase admin
+   mongosh --host your-domain.com --port $MONGO_PORT --tls --tlsCAFile /etc/ssl/mongodb/certificate_authority.pem --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u admin -p your_password --authenticationDatabase admin
    ```
 
    Replace `$MONGO_PORT` with the port you specified in config.json and `your-domain.com` with your actual domain name.

bootstrap.sh

@@ -91,6 +91,16 @@ net:
   bindIp: 127.0.0.1
 EOF
 
+# Ensure MongoDB can resolve its own domain name
+echo "Checking if domain is in /etc/hosts..."
+if ! grep -q "$DOMAIN" /etc/hosts; then
+  echo "Adding $DOMAIN to /etc/hosts..."
+  echo "127.0.1.1 $DOMAIN" | sudo tee -a /etc/hosts
+  echo "Added $DOMAIN to /etc/hosts"
+else
+  echo "Domain $DOMAIN already in /etc/hosts"
+fi
+
 # Store the replica set name for provision_ssl.sh to use later
 echo "$REPLICA_SET" > /tmp/mongodb_replica_set
 

connection_info.sh

@@ -98,7 +98,9 @@ rm $TEMP_FILE
 
 # Build connection string
 if [ "$TLS_ENABLED" = true ]; then
-  CONNECTION_STRING="mongodb://$DB_USERNAME:$DB_PASSWORD@$(echo $HOSTS_JSON | jq -r 'map(.hostname + ":" + .port) | join(",")' || echo "$CONNECTION_DOMAIN:$MONGO_PORT")/?tls=true&authSource=admin&replicaSet=$REPLICA_SET"
+  CONNECTION_STRING="mongodb://$DB_USERNAME:$DB_PASSWORD@$(echo $HOSTS_JSON | jq -r 'map(.hostname + ":" + .port) | join(",")' || echo "$CONNECTION_DOMAIN:$MONGO_PORT")/?tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=/etc/ssl/mongodb/client.pem&authSource=admin&replicaSet=$REPLICA_SET"
+  echo "NOTE: The connection string includes client certificate path."
+  echo "      Ensure the client certificate exists at /etc/ssl/mongodb/client.pem"
 else
   CONNECTION_STRING="mongodb://$DB_USERNAME:$DB_PASSWORD@$(echo $HOSTS_JSON | jq -r 'map(.hostname + ":" + .port) | join(",")' || echo "$CONNECTION_DOMAIN:$MONGO_PORT")/?authSource=admin&replicaSet=$REPLICA_SET"
 fi

provision_ssl.sh

@@ -48,7 +48,7 @@ if [ -f "$MONGO_CONF" ]; then
   else
     # Check if net section already exists
     if grep -q "net:" "$MONGO_CONF" && ! grep -q "  tls:" "$MONGO_CONF"; then
-      # Add TLS configuration under existing net section
+      # Add TLS configuration under existing net section (requiring client certificates)
       echo "Adding TLS configuration to existing net section..."
       sudo sed -i '/net:/a\  tls:\n    mode: requireTLS\n    certificateKeyFile: '"$CERT_FILE"'\n    CAFile: '"$CA_FILE"'' "$MONGO_CONF"
 
@@ -124,7 +124,9 @@ fi
 
 # Verify MongoDB is running with TLS
 echo "Waiting for MongoDB to start completely..."
-sleep 5
+
+sleep 10
+
 if sudo systemctl is-active --quiet mongod; then
   echo "✅ MongoDB restarted successfully with TLS configuration"
 
@@ -138,14 +140,20 @@ if sudo systemctl is-active --quiet mongod; then
     MONGO_PORT=$(jq -r '.mongo_port' "$CONFIG_FILE")
 
     if command -v mongosh &> /dev/null; then
-      # Try with localhost
-      echo "Attempting to verify TLS using localhost"
-      if sudo mongosh --host localhost --port $MONGO_PORT --tls -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "db.adminCommand({ getParameter: 1, tlsMode: 1 })" 2>/dev/null | grep -q "requireTLS"; then
-        echo "✅ MongoDB TLS mode verified using localhost: requireTLS is active"
+      # Try with domain name and client certificate
+      echo "Attempting to verify TLS using domain name"
+      if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "db.adminCommand({ getParameter: 1, tlsMode: 1 })" 2>/dev/null | grep -q "requireTLS"; then
+        echo "✅ MongoDB TLS mode verified using domain name: requireTLS is active"
       else
         echo "⚠️ WARNING: MongoDB is running but TLS mode could not be verified."
-        echo "Please check manually with:"
-        echo "mongosh --host localhost --port $MONGO_PORT --tls -u $DB_USERNAME -p <password> --authenticationDatabase admin --eval \"db.adminCommand({ getParameter: 1, tlsMode: 1 })\""
+        echo "This is expected because client certificates are required."
+        echo ""
+        echo "IMPORTANT: To connect to MongoDB, you will need:"
+        echo "1. A client certificate signed by your CA"
+        echo "2. Connect using the domain name that matches your server certificate"
+        echo ""
+        echo "Example connection command:"
+        echo "mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p <password> --authenticationDatabase admin"
       fi
     else
       echo "⚠️ mongosh not available to verify TLS configuration."
@@ -204,12 +212,12 @@ if [ -f "$CONFIG_FILE" ]; then
   fi
 
   # Check if the node is already initialized (part of a replica set)
-  if mongosh --host localhost --port $MONGO_PORT -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.status())" 2>/dev/null | grep -q '"ok":1'; then
+  if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.status())" 2>/dev/null | grep -q '"ok":1'; then
     IS_INITIALIZED=true
     echo "This node is already initialized as part of a replica set."
 
     # Now check if it's primary
-    if mongosh --host localhost --port $MONGO_PORT -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.isMaster())" 2>/dev/null | grep -q '"ismaster":true'; then
+    if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.isMaster())" 2>/dev/null | grep -q '"ismaster":true'; then
       IS_PRIMARY=true
       echo "This node is the primary."
     else
@@ -226,7 +234,7 @@ if [ -f "$CONFIG_FILE" ]; then
       echo "Initializing replica set with domain name..."
 
       # Initialize the replica set with the domain name instead of localhost
-      if mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "
+      if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "
         rs.initiate({
           _id: '$REPLICA_SET',
           members: [{ _id: 0, host: '$DOMAIN:$MONGO_PORT' }]
@@ -236,25 +244,25 @@ if [ -f "$CONFIG_FILE" ]; then
 
         # Verify the initialization
         echo "Verifying replica set configuration..."
-        mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "rs.conf().members.forEach(function(m) { print(m.host); })"
+        mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "rs.conf().members.forEach(function(m) { print(m.host); })"
       else
         echo "❌ ERROR: Failed to initialize replica set. You may need to initialize it manually."
         echo "Manual initialization command:"
-        echo "mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval \"rs.initiate({ _id: '$REPLICA_SET', members: [{ _id: 0, host: '$DOMAIN:$MONGO_PORT' }] })\""
+        echo "mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval \"rs.initiate({ _id: '$REPLICA_SET', members: [{ _id: 0, host: '$DOMAIN:$MONGO_PORT' }] })\""
       fi
     elif [ "$IS_INITIALIZED" = true ]; then
       # This is an already initialized primary node, check if we need to update the configuration
       echo "Checking if replica set configuration needs to be updated..."
 
       # Get current replica set configuration
       TEMP_FILE=$(mktemp)
-      if mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.conf())" > $TEMP_FILE 2>/dev/null; then
+      if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "JSON.stringify(rs.conf())" > $TEMP_FILE 2>/dev/null; then
         # Check if any member is using localhost
         if grep -q "localhost" $TEMP_FILE; then
           echo "Found localhost in replica set configuration. Updating to use domain name..."
 
           # Update replica set configuration to use domain name
-          if mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "
+          if mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval "
             var config = rs.conf();
             for (var i = 0; i < config.members.length; i++) {
               if (config.members[i].host.includes('localhost')) {
@@ -268,11 +276,11 @@ if [ -f "$CONFIG_FILE" ]; then
 
             # Verify the update
             echo "Verifying updated configuration..."
-            mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "rs.conf().members.forEach(function(m) { print(m.host); })"
+            mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --quiet --eval "rs.conf().members.forEach(function(m) { print(m.host); })"
           else
             echo "⚠️ WARNING: Failed to update replica set configuration. You may need to update it manually."
             echo "Manual update command:"
-            echo "mongosh --host localhost --port $MONGO_PORT $TLS_ARGS -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval \"var config = rs.conf(); config.members[0].host = '$DOMAIN:$MONGO_PORT'; rs.reconfig(config);\""
+            echo "mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p $DB_PASSWORD --authenticationDatabase admin --eval \"var config = rs.conf(); config.members[0].host = '$DOMAIN:$MONGO_PORT'; rs.reconfig(config);\""
           fi
         else
           echo "Replica set configuration already using domain name. No update needed."
@@ -309,4 +317,11 @@ fi
 
 echo "✅ TLS configuration complete"
 echo "MongoDB is now configured to use TLS with the certificate at $CERT_FILE"
-echo "Clients will need to connect using TLS"
+echo ""
+echo "IMPORTANT: Client certificates are required for connections"
+echo "To connect to MongoDB, you will need:"
+echo "1. A client certificate signed by your CA"
+echo "2. Connect using the domain name that matches your server certificate"
+echo ""
+echo "Example connection command:"
+echo "mongosh --host $DOMAIN --port $MONGO_PORT --tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem -u $DB_USERNAME -p <password> --authenticationDatabase admin"

utils/create_backup.sh

@@ -46,7 +46,9 @@ create_backup() {
 
   # Use the exact command that works
   if [ "$tls_enabled" = "true" ]; then
-    TLS_ARG="--ssl"
+    TLS_ARG="--ssl --sslCAFile $CA_FILE --sslPEMKeyFile /etc/ssl/mongodb/client.pem"
+    echo "NOTE: Client certificates are required for connections."
+    echo "      Ensure the client certificate exists at /etc/ssl/mongodb/client.pem"
   else
     TLS_ARG=""
   fi

utils/replica_sets.sh

@@ -22,7 +22,9 @@ TLS_ARGS=""
 
 if [ -f "$CERT_FILE" ] && grep -q "tls:" /etc/mongod.conf && grep -q "mode: requireTLS" /etc/mongod.conf; then
   echo "MongoDB TLS is enabled. Using TLS connection..."
-  TLS_ARGS="--tls"
+  echo "NOTE: Client certificates are required for connections."
+  TLS_ARGS="--tls --tlsCAFile $CA_FILE --tlsCertificateKeyFile /etc/ssl/mongodb/client.pem"
+  echo "IMPORTANT: Ensure the client certificate exists at /etc/ssl/mongodb/client.pem"
 elif grep -q "ssl:" /etc/mongod.conf && grep -q "mode: requireSSL" /etc/mongod.conf; then
   # For backward compatibility with older configurations
   echo "MongoDB SSL is enabled. Using SSL connection..."

utils/restore_backup.sh

@@ -51,7 +51,9 @@ restore_backup() {
 
   # Use the exact command that works
   if [ "$tls_enabled" = "true" ]; then
-    TLS_ARG="--ssl"
+    TLS_ARG="--ssl --sslCAFile $CA_FILE --sslPEMKeyFile /etc/ssl/mongodb/client.pem"
+    echo "NOTE: Client certificates are required for connections."
+    echo "      Ensure the client certificate exists at /etc/ssl/mongodb/client.pem"
   else
     TLS_ARG=""
   fi