解析服务器:可以为mongodb连接提供根证书吗？

Question

我们在上设置mongodb，这意味着他们是dns主机名所有者。对于SSL连接，我为副本集中的所有服务器创建了一个自授权的自签名证书。当向解析服务器提供mongo连接字符串时，我得到以下内容：

错误:不正确的内部服务器错误。{ MongoError:证书链名称中的自签名证书：“MongoError”，消息：“证书链中的自签名证书”}错误:证书链中的自签名证书在TLSSocket的错误处(本机)。(_tls_wrap.js:1013:38)在emitNone (events.js:67:13) at TLSSocket.emit (events.js:166:7) at TLSSocket.emit (_tls_wrap.js:582:8) at TLSWrap.TLSSocket._init.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:424:38)

我很确定(嗯，希望)，如果我能以某种方式向Parse的mongodb客户端提供我自己生成的根证书，应该可以解决这些问题。问题是--是否有可能为mongodb连接向解析服务器提供证书，如果是，如何提供？

Answer 1

好吧，最近我有给出自己的答案的习惯，所以这里还有一个。解决方案是正确地获取/生成客户端证书，以便手头有client.crt和client.key，有根证书和任何中间证书，并设置replSet ssl设置。如下面所示，我需要在'databaseOptions‘中设置'replSet’。我在解析服务器上做了一些反向工程。请注意，如果解析服务器代码在该区域发生更改，则此解决方案将停止工作。

无论如何，下面解析服务器示例中的修改index.js帮助我解决了这个问题。我添加的内容围绕着MONGODB_CERTIFICATE env变量。

// Example express application adding the parse-server module to expose Parse
// compatible API routes.

var express = require('express');
var ParseServer = require('parse-server').ParseServer;
var path = require('path');
var fs = require('fs');

var databaseUri = process.env.DATABASE_URI || process.env.MONGODB_URI;

if (!databaseUri) {
  console.log('DATABASE_URI not specified, falling back to localhost.');
}

var parseSettings = {
  databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
  cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
  appId: process.env.APP_ID || 'myAppId',
  masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
  serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse',  // Don't forget to change to https if needed
  liveQuery: {
    classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
  }
}

// This allows to provide mongo client with certificates for mongodb replica set
// this is handy when you have your own self-authotized/signed certificates in mongo db
if (process.env.MONGODB_CRT_FOLDER) {
  // MONGODB_CRT_FOLDER - certificates folder e.g. /my/certificates
  // if the path is relative to the project just start it without  '/'
  // The folder is must contain 
  //   1. client.key (hard coded name)
  //   2. client.crt (hard coded name)
  //   3. one or more intermediate certificates and a root certificate for the certificate chain
  // MONGODB_CERTIFICATES - the names of the certificates in the certficate chain seperated by comma
  var crtFolder = process.env.MONGODB_CRT_FOLDER + '/';
  if (!process.env.MONGODB_CRT_FOLDER.startsWith('/'))  
    crtFolder = __dirname + '/' + crtFolder;

  var certificatesFiles = process.env.MONGODB_CERTIFICATES.split(',');
  var certificates = [];
  var i;
  for (i in certificatesFiles) {
    certificates.push(fs.readFileSync( crtFolder + '/' + certificatesFiles[i]))
  }

  parseSettings.databaseOptions = {
    replSet: {
      ssl: true,
      sslValidate: true,
      sslCA: certificates,
      sslCert: fs.readFileSync( crtFolder + 'client.crt'),
      sslKey: fs.readFileSync( crtFolder + 'client.key')
    }
  };
}


var api = new ParseServer(parseSettings);
// Client-keys like the javascript key or the .NET key are not necessary with parse-server
// If you wish you require them, you can set them as options in the initialization above:
// javascriptKey, restAPIKey, dotNetKey, clientKey

var app = express();

// Serve static assets from the /public folder
app.use('/public', express.static(path.join(__dirname, '/public')));

// Serve the Parse API on the /parse URL prefix
var mountPath = process.env.PARSE_MOUNT || '/parse';
app.use(mountPath, api);

// Parse Server plays nicely with the rest of your web routes
app.get('/', function(req, res) {
  res.status(200).send('Make sure to star the parse-server repo on GitHub!');
});

// There will be a test page available on the /test path of your server url
// Remove this before launching your app
app.get('/test', function(req, res) {
  res.sendFile(path.join(__dirname, '/public/test.html'));
});

var port = process.env.PORT || 1337;
var httpServer = require('http').createServer(app);
httpServer.listen(port, function() {
    console.log('parse-server-example running on port ' + port + '.');
});

// This will enable the Live Query real-time server
ParseServer.createLiveQueryServer(httpServer);

请注意，您必须安装npm -保存'fs‘和’路径‘。