MongoDB Certificate Key File Ownership And Permission

When you setup TLS/SSL for MongoDB Configure mongod and mongos for TLS/SSL, you might encounter the following errors:

{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"main","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/ssl/testserver1.pem","error":"error:0200100D:system library:fopen:Permission denied"}}
{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}


{"t":{"$date":"2020-11-30T08:01:14.545+00:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"permissions on / are too open"}}}

So what's the right ownership and permission for the certificate pem file? The answer is: the pem file should have read access but no write access for the user mongodb.

Solution 1

  • chown mongodb:mongodb [xxx.pem]
  • chmod 400 [xxx.pem]

Finally, the pem files look like this:

-r-------- 1 mongodb mongodb 4.4K Nov 30 18:11 test-ca.pem
-r-------- 1 mongodb mongodb 5.4K Nov 30 17:19 test-server1.pem

Then everything works fine.

If the pem file cannot be read by user mongodb (e.g. file owner is root with 600 permission), then Permission denied.

If the pem file belongs to mongodb but with more permission, then permissions on / are too open.

Solution 2

  • chmod 644 [xxx.pem]

Unfortunately, the official documentation doesn't provide tips for this, hope these explanation helps.