Golang客户端无法连接到MongoDB服务器 – sslv3警告坏证书

huangapple go评论98阅读模式
英文:

golang client fails to connect to mongo db server - sslv3 alert bad certificate

问题

我正在尝试将一个Go客户端连接到启用SSL的MongoDB服务器。我收到了明确的错误消息,指示握手失败,原因是SSL错误。我在客户端上使用了自签名证书。

从MongoDB服务器获取到以下信息:

2017-05-13T04:38:53.910+0000 I NETWORK [thread1] connection accepted from 172.17.0.1:51944 #10 (1 connection now open)
2017-05-13T04:38:53.911+0000 E NETWORK [conn10] SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
2017-05-13T04:38:53.911+0000 I - [conn10] end connection

来自Go客户端的错误:

无法连接到mongodb_s1.dev:27017 x509: 证书由未知机构签名(可能是由于尝试验证候选机构证书“XYZ”时出现“crypto/rsa: verification error”)

尝试了多个选项,但没有帮助。

英文:

I'm trying to connect a go client to mongodb server running with ssl enabled. I get a clear error message indicating that the hand shake failed due to ssl error. I use a self signed certificate on the client side.

Got below from the mongodb server:

2017-05-13T04:38:53.910+0000 I NETWORK  [thread1] connection accepted from 172.17.0.1:51944 #10 (1 connection now open)
2017-05-13T04:38:53.911+0000 E NETWORK  [conn10] SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
2017-05-13T04:38:53.911+0000 I -        [conn10] end connection 

Error from Go client:

Could not connect to mongodb_s1.dev:27017 x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "XYZ")

Tried multiple options, but didn't help

答案1

得分: 1

您可以使用InsecureSkipVerify = true来跳过TLS安全检查。这样可以使用自签名证书。请参考下面的代码,来自compose帮助文档

而不是跳过安全检查,建议将用于签署您的证书的CA添加到系统的受信任CA列表中。

package main

import (
	"crypto/tls"
	"fmt"
	"net"
	"os"
	"strings"

	"gopkg.in/mgo.v2"
)

func main() {
	uri := os.Getenv("MONGODB_URL")
	if uri == "" {
		fmt.Println("未提供连接字符串 - 请设置MONGODB_URL")
		os.Exit(1)
	}
	uri = strings.TrimSuffix(uri, "?ssl=true")

	tlsConfig := &tls.Config{}
	tlsConfig.InsecureSkipVerify = true

	dialInfo, err := mgo.ParseURL(uri)

	if err != nil {
		fmt.Println("解析URI失败:", err)
		os.Exit(1)
	}

	dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) {
		conn, err := tls.Dial("tcp", addr.String(), tlsConfig)
		return conn, err
	}

	session, err := mgo.DialWithInfo(dialInfo)
	if err != nil {
		fmt.Println("连接失败:", err)
		os.Exit(1)
	}

	defer session.Close()

	dbnames, err := session.DB("").CollectionNames()
	if err != nil {
		fmt.Println("无法查询集合名称:", err)
		os.Exit(1)
	}

	fmt.Println(dbnames)
}
英文:

You can skip TLS security checks using InsecureSkipVerify = true. This allows you to use self-signed certificates. See the code from compose help below.

Instead of skipping security checks, it is advisable to add the CA used to sign your certificates to the list of trusted CAs of the system.

package main

import (
	"crypto/tls"
	"fmt"
	"net"
	"os"
	"strings"

	"gopkg.in/mgo.v2"
)

func main() {
	uri := os.Getenv("MONGODB_URL")
	if uri == "" {
		fmt.Println("No connection string provided - set MONGODB_URL")
		os.Exit(1)
	}
	uri = strings.TrimSuffix(uri, "?ssl=true")

Here:

	tlsConfig := &tls.Config{}
	tlsConfig.InsecureSkipVerify = true

	dialInfo, err := mgo.ParseURL(uri)

	if err != nil {
		fmt.Println("Failed to parse URI: ", err)
		os.Exit(1)
	}

And here:

	dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) {
		conn, err := tls.Dial("tcp", addr.String(), tlsConfig)
		return conn, err
	}

	session, err := mgo.DialWithInfo(dialInfo)
	if err != nil {
		fmt.Println("Failed to connect: ", err)
		os.Exit(1)
	}

	defer session.Close()

	dbnames, err := session.DB("").CollectionNames()
	if err != nil {
		fmt.Println("Couldn't query for collections names: ", err)
		os.Exit(1)
	}

	fmt.Println(dbnames)

}

1: https://help.compose.com/docs/connecting-to-mongodb#go--golang-mongodb-and-compose "compose help"

huangapple
  • 本文由 发表于 2017年5月13日 12:44:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/43949263.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定