An Ops Manager instance has been set up for the internal development environment.
The server was started with no TLS on default port: 8080
A CSR file was generated and signed using the internal dev environment CA Server, and the resultant pem file was used to configure TLS for MongoDB Ops Manager
<code>URL to access Ops Manager: https://instance-one.eng.corp.com:8443
PEM file: /ops-manager-data/instance-one.pem
CA file: /ops-manager-data/ca.pem
Client Certificate Mode: 'all requests'
<code>URL to access Ops Manager: https://instance-one.eng.corp.com:8443
PEM file: /ops-manager-data/instance-one.pem
CA file: /ops-manager-data/ca.pem
Client Certificate Mode: 'all requests'
</code>
URL to access Ops Manager: https://instance-one.eng.corp.com:8443
PEM file: /ops-manager-data/instance-one.pem
CA file: /ops-manager-data/ca.pem
Client Certificate Mode: 'all requests'
The ops manager instance was up and running successfully.
<code>cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
<code>cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
</code>
cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
However, the listener is active on IPv6 instead of IPv4.
<code>tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27037 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27027 0.0.0.0:* LISTEN
tcp6 0 0 10.14.10.84:8080 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
<code>tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27037 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27027 0.0.0.0:* LISTEN
tcp6 0 0 10.14.10.84:8080 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
</code>
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27037 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27027 0.0.0.0:* LISTEN
tcp6 0 0 10.14.10.84:8080 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
In the conf-properties, the following properties were added to debug:
<code>mms.http.bindhostname=10.1.2.84
<code>mms.http.bindhostname=10.1.2.84
</code>
mms.http.bindhostname=10.1.2.84
Resultant: HTTP server is accessible on: http://10.1.2.84:8080, however the HTTPS instance is not reachable.
The CA.pem has been added to the cert list of Firefox instances also.
<code>cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
2024-09-08T07:45:52.386+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createNonSSLConnector:933] - Creating HTTP (1.1) listener on 10.14.10.84:8080
<code>cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
2024-09-08T07:45:52.386+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createNonSSLConnector:933] - Creating HTTP (1.1) listener on 10.14.10.84:8080
</code>
cat /opt/mongodb/mms/logs/mms0.log | grep "listen"
2024-09-08T07:45:52.384+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createSSLConnector:908] - Creating HTTPS (1.1) listener on *:8443
2024-09-08T07:45:52.386+0000 [main] INFO com.xgen.svc.core.ServerMain [ServerMain.java:createNonSSLConnector:933] - Creating HTTP (1.1) listener on 10.14.10.84:8080
Debugging tried:
<code> % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0
<code> % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0
</code>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:0A000412:SSL routines::sslv3 alert bad certificate, errno 0
is not throwing any error
Running:
Acceptable client certificate CA names
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1994 bytes and written 452 bytes
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Verify return code: 0 (ok)
80FB818896700000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1593:SSL alert number 42
<code>
Acceptable client certificate CA names
CN = NoSQL CA
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1994 bytes and written 452 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
80FB818896700000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1593:SSL alert number 42
</code>
Acceptable client certificate CA names
CN = NoSQL CA
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1994 bytes and written 452 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
80FB818896700000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1593:SSL alert number 42