This is a reference quick-start note for deploying MongoDB via Docker, and with working self-signed TLS.
Note: This setup does not yet consider replica sets. Coming soon…
1. Generate keys for TLS
E.g. with one year expiry:
openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
cp cert.pem certificateKey.pem
cat key.pem >> certificateKey.pem
2. Create a Docker Compose file
Ensure to reference the correct locations via volume mounts.
docker-compose.yml
services:
mongo:
image: mongo:5
restart: always
command: "--auth --tlsMode requireTLS --tlsCertificateKeyFile /data/certificateKey.pem"
ports:
- "27017:27017"
volumes:
- /data/mongo:/data/db
- ./certificateKey.pem:/data/certificateKey.pem
Note, when setting-up for the first time, omit the --auth flag, and use Docker localhost to configure users, and then re-run with --auth.
3. Connect
Connect as usual, but in the Mongo connection string for your apps, now pass in the following at the end of the string: ?tls=true&tlsAllowInvalidCertificates=true.
Note: we need to allow invalid certificates, as the one we generated is self-signed.