Links#
https://www.mongodb.com/docs/manual/tutorial/configure-ssl/
https://www.mongodb.com/docs/manual/reference/connection-string-options/#tls-options
https://www.mongodb.com/docs/drivers/java/sync/current/security/tls/
https://www.mongodb.com/docs/drivers/python/current/security/tls/
https://www.mongodb.com/docs/drivers/go/current/fundamentals/connections/tls/
https://www.mongodb.com/docs/drivers/node/current/security/tls/
1. Important Points#
MongoDB TLS protects client <-> mongod / mongos traffic:
encrypt wire traffic
verify server certificate
optionally use client certificate for x.509 auth
recommended:
net.tls.mode=requireTLS
client uses tls=true
client validates CA
certificate hostname matches replica set member host
avoid in production:
tlsAllowInvalidCertificates=true
tlsAllowInvalidHostnames=true
allowTLS fallback modes unless migration requires it
2. Server Configuration#
files#
/etc/mongodb/tls/ca.pem
/etc/mongodb/tls/server.pem
server.pem:
server certificate + private key in PEM
ca.pem:
CA chain used to verify peer certificates
mongod.conf#
net:
port: 27017
bindIp: 10.0.1.10
tls:
mode: requireTLS
certificateKeyFile: /etc/mongodb/tls/server.pem
CAFile: /etc/mongodb/tls/ca.pem
security:
authorization: enabled
verify with mongosh#
mongosh "mongodb://mongo-1.example.com:27017/admin?tls=true&tlsCAFile=/etc/ssl/company-ca.pem" \
--username order_app \
--password
3. Java#
<dependency>
<groupId>org.mongodb</groupId>
<artifactId>mongodb-driver-sync</artifactId>
<version>5.3.0</version>
</dependency>
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoClients;
public class MongoTlsExample {
public static void main(String[] args) {
String uri = "mongodb://order_app:" + System.getenv("MONGO_PASSWORD")
+ "@mongo-1.example.com:27017/order"
+ "?replicaSet=rs0&tls=true";
// Import CA into JVM truststore, or pass:
// -Djavax.net.ssl.trustStore=/etc/ssl/mongo-truststore.jks
// -Djavax.net.ssl.trustStorePassword=changeit
try (MongoClient client = MongoClients.create(uri)) {
System.out.println(client.getDatabase("order").getName());
}
}
}
4. Python#
import os
from pymongo import MongoClient
client = MongoClient(
"mongodb://mongo-1.example.com:27017/order",
username="order_app",
password=os.environ["MONGO_PASSWORD"],
replicaSet="rs0",
tls=True,
tlsCAFile="/etc/ssl/company-ca.pem",
)
print(client.order.command("ping"))
client.close()
5. Go#
go get go.mongodb.org/mongo-driver/mongo
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"os"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
)
func main() {
ca, err := os.ReadFile("/etc/ssl/company-ca.pem")
if err != nil {
panic(err)
}
pool := x509.NewCertPool()
pool.AppendCertsFromPEM(ca)
opts := options.Client().
ApplyURI("mongodb://order_app:"+os.Getenv("MONGO_PASSWORD")+"@mongo-1.example.com:27017/order?replicaSet=rs0").
SetTLSConfig(&tls.Config{RootCAs: pool, MinVersion: tls.VersionTLS12})
client, err := mongo.Connect(context.Background(), opts)
if err != nil {
panic(err)
}
defer client.Disconnect(context.Background())
}
6. Node.js#
import { MongoClient } from "mongodb";
const uri =
`mongodb://order_app:${encodeURIComponent(process.env.MONGO_PASSWORD)}` +
"@mongo-1.example.com:27017/order?replicaSet=rs0&tls=true";
const client = new MongoClient(uri, {
tlsCAFile: "/etc/ssl/company-ca.pem"
});
await client.connect();
console.log(await client.db("order").command({ ping: 1 }));
await client.close();
7. Production Checklist#
server:
mode=requireTLS
certificate includes DNS names used by clients
replica set members use TLS-compatible hostnames
key file permissions restricted
client:
tls=true
CA file configured
invalid certificate / hostname checks are not disabled
SRV connection behavior reviewed
operations:
certificate expiry monitored
rotation tested on replica set
backup / automation clients updated with CA