MongoDb SSL Connection with Self Signed Certificate issue

GillesCP · February 9, 2018, 10:30am

Hi all,

We would need to create a connection on a MongoDb cluster with SSL enabled and self-signed certificate.

We look on the web for related solutions, issues or workaround but with no luck.

Do you know if this kind of connection is available on current version of Metabase and how to configure it?

Thanks in advance!

jornh · February 9, 2018, 6:23pm

Look some more on the web then (sorry for the tongue in cheek answer. I know it’s tough to scour the web for something like this)

I’d argue this isn’t something specific to Metabase - but more related to that you need to add your self signed cert as a trusted cert to the java keystore on the machine running Metabase, then make sure it’s referenced correctly when Metabase is started.

Here’s a possible starting point (with it’s StackOverflow link):

The way I’d possibly go about it (if you can’t get it running with Metabase right away) would be to test certificate setup with e.g a simple “Hello World” java code snippet/command line tool using or building on the java Mongo client libs (guess it’s this. https://mongodb.github.io/mongo-java-driver/). When you have that working then getting it working with Metabase shouldn’t be as hard.

Sorry, that’s all I can offer as I haven’t been through setting up a client with Mongo and self-signed … only lots of other things patterned around the same.

GillesCP · February 12, 2018, 7:56am

Thank you @jornh for the answer.

We plunged into the configuration and found the following solution into a Docker context:

FROM metabase/metabase-head

ADD ROOTCA.pem /usr/local/share/ca-certificates/ROOTCA.pem

# Register the MongoDb self-signed certificate to the JAVA environment:
RUN ${JAVA_HOME}/bin/keytool -importcert -v -trustcacerts \
    -alias metabase \
    -file "/usr/local/share/ca-certificates/ROOTCA.pem" \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts \
    -storepass changeit -noprompt

This is somewhat what you are describing.

Thanks for your answer.

vitoresende · May 7, 2019, 8:02pm

Hi @GillesCP, could you help me telling where did you find the ROOTCA.pem ? As we have a self-signed certificate? I’ve tried to create the .pem like this link, when I try the commands as you wrote above I’ve got or: "java.io.FileNotFoundException: /usr/lib/jvm/java-1.8-openjdk/jre/jre/lib/security/cacerts (Is a directory)
" or “java.lang.Exception: Input not an X.509 certificate”

Could someone help me?