我使用的是Ubuntu 16.04和MongoDB v3.2.11 .

目的是在将MongoDB打开到公共互联网之前保护它 .

让我们启动mongod：

$ mongod --auth --port 27017 --dbpath /data/db1

--sslMode requireSSL --sslPEMKeyFile /etc/ssl/server.pem

--sslCAFile /etc/ssl/ca.pem --sslAllowInvalidHostnames &

输出：

root@tim:/etc/ssl# 2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] MongoDB starting : pid=19058 port=27017 dbpath=/data/db1 64-bit host=tim

2017-01-13T12:58:55.150+0000 I CONTROL [initandlisten] db version v3.2.11

2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] git version: 009580ad490190ba33d1c6253ebd8d91808923e4

2017-01-13T12:58:55.151+0000 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] allocator: tcmalloc

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] modules: none

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] build environment:

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distmod: ubuntu1604

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] distarch: x86_64

2017-01-13T12:58:55.152+0000 I CONTROL [initandlisten] target_arch: x86_64

2017-01-13T12:58:55.153+0000 I CONTROL [initandlisten] options: { net: { port: 27017, ssl: { CAFile: "/etc/ssl/ca.pem", PEMKeyFile: "/etc/ssl/server.pem", allowInvalidHostnames: true, mode: "requireSSL" }

}, security: { authorization: "enabled" }, storage: { dbPath: "/data/db1" } }

2017-01-13T12:58:55.211+0000 I - [initandlisten] Detected data files in /data/db1 created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.

2017-01-13T12:58:55.212+0000 W - [initandlisten] Detected unclean shutdown - /data/db1/mongod.lock is not empty.

2017-01-13T12:58:55.212+0000 W STORAGE [initandlisten] Recovering data from the last clean checkpoint.

2017-01-13T12:58:55.212+0000 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_max=4)

,config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),

2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.

2017-01-13T12:58:55.886+0000 I CONTROL [initandlisten]

2017-01-13T12:58:55.895+0000 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db1/diagnostic.data'

2017-01-13T12:58:55.897+0000 I NETWORK [initandlisten] waiting for connections on port 27017 ssl

2017-01-13T12:58:55.897+0000 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker

2017-01-13T12:58:56.026+0000 I FTDC [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OK

运行mongod之后，我启动了mongo shell：

$ mongo --port 27017 -u "my username" -p "my password"

--authenticationDatabase "" --ssl --sslPEMKeyFile /etc/ssl/client.pem

--sslCAFile /etc/ssl/ca.pem --host tim

MongoDB shell version: 3.2.11

connecting to: 127.0.0.1:27017/datatest

2017-01-13T12:35:58.247+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:38902 #8 (1 connection now open)

2017-01-13T12:35:58.259+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate

2017-01-13T12:35:58.259+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :

connect@src/mongo/shell/mongo.js:231:14

@(connect):1:6

2017-01-13T12:35:58.263+0000 E NETWORK [conn8] SSL peer certificate validation failed: self signed certificate

2017-01-13T12:35:58.263+0000 I NETWORK [conn8] end connection 127.0.0.1:38902 (0 connections now open)

我究竟做错了什么？