Collect data from mongoDB that uses SSL and User Authentication

Bosmak · April 20, 2018, 5:19pm

Hi,

I am trying to collect information from MongoDB using telegraf to output it to influxdb.

I tried multiples configuration each one giving me different errors.

[[inputs.mongodb]]
  servers = ["mongodb://<user>:<password>@mongodb"]
  gather_perdb_stats = false
  insecure_skip_verify = false
  [inputs.mongodb.ssl]
  enabled = true
  cacerts = ["""
-----BEGIN CERTIFICATE-----
<my_cert>
-----END CERTIFICATE-----
"""]

Using insecure_skip_verify with true/false doesn’t make any change.
Changing the certs changes what it does…

Normally with a cert and connection errors on telegraf on MongoDB it gives me

E NETWORK [conn1707] no SSL certificate provided by peer; connection rejected

And the only time that seems that the certificate is transmitted to the server it gives me the error

error in Dial, x509: certificate signed by unknown authority

this certificate works just fine using the mongo cli tool.

And there’s time that the telegraf gives me errors that it couldn’t parse the root certificate.

E! Error in plugin [inputs.mongodb]: failed to parse root certificate

I’m using the docker image (1.6.0 - alpine) and running it on k8 as a daemonset.
It works if I disable SSL on MongoDB.

daniel · April 20, 2018, 6:38pm

These old ssl options are deprecated, if you are just getting started with this plugin try using these options instead:

[[inputs.mongodb]]
  ## Optional SSL Config
  # ssl_ca = "/etc/telegraf/ca.pem"
  # ssl_cert = "/etc/telegraf/cert.pem"
  # ssl_key = "/etc/telegraf/key.pem"
  ## Use SSL but skip chain & host verification
  # insecure_skip_verify = false

If you have been using these options in 1.5 and it only broke in 1.6, we should probably spend some more time debugging what might have changed.

Bosmak · April 23, 2018, 2:34pm

Couldn’t make it work.

Config.

[[inputs.mongodb]]
  servers = ["$MONGODB_URL"]
  gather_perdb_stats = false
  ## Optional SSL Config
  ssl_ca = "/ssl/mongodb/ca.pem"
  ssl_cert = "/ssl/mongodb/cert.pem"
  ssl_key = "/ssl/mongodb/key.pem"
  insecure_skip_verify = true

log on telegraf:

2018-04-23T14:27:05Z E! Error in plugin [inputs.mongodb]: Unable to connect to MongoDB, no reachable servers
2018-04-23T14:27:15Z E! Error in plugin [inputs.mongodb]: Unable to connect to MongoDB, no reachable servers
2018-04-23T14:27:25Z E! Error in plugin [inputs.mongodb]: Unable to connect to MongoDB, no reachable servers

log on MongoDB:

2018-04-23T14:30:25.014+0000 I -        [conn380] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2018-04-23T14:30:25.014+0000 I -        [conn380] end connection 10.244.2.114:46078 (1 connection now open)
2018-04-23T14:30:30.002+0000 I NETWORK  [thread1] connection accepted from 10.244.2.114:46080 #381 (1 connection now open)
2018-04-23T14:30:30.002+0000 I -        [conn381] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2018-04-23T14:30:30.002+0000 I -        [conn381] end connection 10.244.2.114:46080 (1 connection now open)
2018-04-23T14:30:30.003+0000 I NETWORK  [thread1] connection accepted from 10.244.1.186:41688 #382 (1 connection now open)

If I try to add

[inputs.mongodb.ssl]
  enabled = true

in the config, the log at MongoDB changes…

2018-04-23T14:33:14.537+0000 E NETWORK  [conn400] no SSL certificate provided by peer; connection rejected
2018-04-23T14:33:14.537+0000 I -        [conn400] end connection 10.244.2.115:34446 (1 connection now open)

Tried to use URI with ?ssl=true to force SSH connection.

2018-04-23T14:37:20Z E! Error in plugin [inputs.mongodb]: Unable to parse URL (mongodb://:@/?ssl=true), unsupported connection URL option: ssl=true

daniel · April 23, 2018, 6:26pm

I notice that the mongodb plugin is not reporting errors parsing the certificates, I think this might be preventing us from seeing a problem loading the cert. I opened an issue, I’ll try to add this into the upcoming 1.6.1 release and hopefully this will help us debug the issue.

daniel · April 23, 2018, 10:05pm

Can you try again with Telegraf 1.6.1 and this config and let me know if you receive an error in the Telegraf log?

[[inputs.mongodb]]
  servers = ["$MONGODB_URL"]
  gather_perdb_stats = false
  ## Optional SSL Config
  ssl_ca = "/ssl/mongodb/ca.pem"
  ssl_cert = "/ssl/mongodb/cert.pem"
  ssl_key = "/ssl/mongodb/key.pem"
  insecure_skip_verify = true

Bosmak · April 24, 2018, 5:18pm

Yep, It worked.

I had a problem with the cert and key file. After fixing those things worked just fine.

In case you want to know the error log was

2018-04-24T17:03:00Z E! Error in plugin [inputs.mongodb]: Could not load TLS client key/certificate from /ssl/mongodb/key.pem:/ssl/mongodb/cert.pem: tls: private key does not match public key

Topic		Replies	Views
Telegraf connecting to influxdb using https Telegraf influxdb , telegraf	1	1748	January 19, 2021
Telegraf TLS Client Authentication in Influxdb output Telegraf influxdb , telegraf	4	3667	November 7, 2017
Client certificate authentication Telegraf	8	5962	September 24, 2020
Telegraf getting 400 errors Telegraf influxdb , telegraf	1	1572	October 27, 2018
InfluxDB 2, Telegraf on Docker with HTTPS InfluxDB 2	0	2961	January 3, 2020

Collect data from mongoDB that uses SSL and User Authentication

Related Topics