Setup mongodb TSL/SSL with letsencrypt.

Mongodb_Letsencrypt.md

Setup Mongo 3.6 TSL/SSL with Letsencrypt

Install certbot

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Get Letsencrypt certificate

sudo certbot certonly --standalone -d [domain]

Letsencrypt will create the following certs under /etc/letsencrypt/live/[domain]:

• cert.pem
• chain.pem
• fullchain.pem
• privkey.pem

Prepare certs for mongodb

cd /etc/letsencrypt/live/[domain]
cat privkey.pem fullchain.pem > /etc/ssl/mongod.pem

Download IdenTrust DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html

Copy the cert to /etc/ssl/ca.crt and wrap it with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Generate ca.pem

printf "\n" >> ca.crt
cat /etc/letsencrypt/live/[domain]/chain.pem >> /etc/ssl/ca.crt
openssl x509 -in /etc/ssl/ca.crt -out /etc/ssl/ca.pem -outform PEM
openssl verify -CAfile /etc/ssl/ca.pem /etc/ssl/mongod.pem
> mongod.pem: OK (you should see this)

Set permission

chmod 600 /etc/ssl/ca.pem
chmod 600 /etc/ssl/mongod.pem
chown -R mongodb:mongodb /etc/ssl/ca.pem
chown -R mongodb:mongodb /etc/ssl/mongod.pem

Edit mongod.conf

net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: requireSSL # 'disabled', 'allowSSL', 'preferSSL', 'requireSSL'
    PEMKeyFile: /etc/ssl/mongod.pem
    CAFile: /etc/ssl/ca.pem
    allowConnectionsWithoutCertificates: false

Connect to mongodb with SSL

mongo [domain]/[db] -u username -p password --ssl --sslPEMKeyFile /etc/ssl/mongod.pem --sslCAFile /etc/ssl/ca.pem

Renew certificates

(Before expiry date, 90 days)

sudo certbot renew

@GrantGochnauer Thank you! :) Your script did it.
After following your CA file generation process, I was able to connect:

mongosh --tls --tlsCertificateKeyFile /etc/ssl/mongod.pem --tlsCAFile /etc/ssl/ca.pem --host my_host

A typical Certbot installation on Linux configures automatic renewals either through a cron job in /etc/cron.d/certbot or, on systems using systemd (e.g. my Ubuntu 20), via a timer. For example, if Certbot is installed via Snap, the renewal process is managed by a systemd timer located at /etc/systemd/system/snap.certbot.renew.timer. Certbot is generally scheduled to check for renewal twice daily, so there's no need to set up a separate cron job for this purpose.

By the way you don't need to explicitly use the --deploy-hook argument if you place your deployment scripts in the /etc/letsencrypt/renewal-hooks/deploy/ directory. Certbot will automatically execute these scripts after a successful renewal. Check out https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates

E.g. you could add a script /etc/letsencrypt/renewal-hooks/deploy/mongodb-hook.sh like the following:

 #!/bin/bash

# customize the variables to your needs:
DOMAIN="MY-DOMAIN.com"
LOG_FILE="/var/log/certbot-mongodb-renewal.log"

log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $*" >> "$LOG_FILE"
}

log "Starting deploy hook for $DOMAIN."

# copy new certs
if cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/ssl/mongodb/; then
    log "Successfully copied fullchain.pem."
else
    log "Failed to copy fullchain.pem."
fi

if cp /etc/letsencrypt/live/$DOMAIN/cert.pem /etc/ssl/mongodb/; then
    log "Successfully copied cert.pem."
else
    log "Failed to copy cert.pem."
fi

# add private key to cert
if cat /etc/letsencrypt/live/$DOMAIN/privkey.pem >> /etc/ssl/mongodb/cert.pem; then
    log "Successfully concatenated private key to cert.pem."
else
    log "Failed to concatenate private key to cert.pem."
fi

# change owner
if chown -R mongodb:mongodb /etc/ssl/mongodb/; then
    log "Successfully changed ownership of /etc/ssl/mongodb/."
else
    log "Failed to change ownership of /etc/ssl/mongodb/."
fi

# restart mongodb service
if service mongod restart; then
    log "Successfully restarted mongod service."
else
    log "Failed to restart mongod service."
fi

log "deploy hook completed."

exit 0