MongoDB Certificate Key File Ownership And Permission
When you setup TLS/SSL for MongoDB Configure mongod and mongos for TLS/SSL, you might encounter the following errors:
{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"E", "c":"NETWORK", "id":23248, "ctx":"main","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/ssl/testserver1.pem","error":"error:0200100D:system library:fopen:Permission denied"}}
{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}or
{"t":{"$date":"2020-11-30T08:01:14.545+00:00"},"s":"I", "c":"ACCESS", "id":20254, "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"permissions on / are too open"}}}So what's the right ownership and permission for the certificate pem
file? The answer is: the pem file should have read access but no
write access for the user mongodb.
Solution 1
chown mongodb:mongodb [xxx.pem]chmod 400 [xxx.pem]
Finally, the pem files look like this:
-r-------- 1 mongodb mongodb 4.4K Nov 30 18:11 test-ca.pem
-r-------- 1 mongodb mongodb 5.4K Nov 30 17:19 test-server1.pemThen everything works fine.
If the pem file cannot be read by user mongodb (e.g.
file owner is root with 600 permission), then
Permission denied.
If the pem file belongs to mongodb but with more
permission, then permissions on / are too open.
Solution 2
chmod 644 [xxx.pem]
Unfortunately, the official documentation doesn't provide tips for this, hope these explanation helps.