diff --git a/source/includes/extracts-mongo-ssl-options-base.yaml b/source/includes/extracts-mongo-ssl-options-base.yaml deleted file mode 100644 index 68970e34cce..00000000000 --- a/source/includes/extracts-mongo-ssl-options-base.yaml +++ /dev/null @@ -1,31 +0,0 @@ -ref: _mongo-ssl-options -content: | - .. versionchanged:: 3.2.6 - - MongoDB 3.2.6 adds support for checking a certificate against the - system CA store, allowing you to run the {{program}} shell with - the ``--ssl`` option *without* including ``--sslCAFile`` or - ``sslAllowInvalidCertificates``. - - If the :binary:`~bin.mongod` or :binary:`~bin.mongos` to which the - :binary:`~bin.mongo` shell is connecting presents a certificate signed - with a CA trusted by the operating system, the :binary:`~bin.mongo` - shell will connect without error. In previous versions of MongoDB, - the :binary:`~bin.mongo` shell exited with an error that it could not - validate the certificate. ---- -ref: _warning-sslCAFile -content: | - - .. warning:: - - For TLS/SSL connections (``--ssl``) to :binary:`~bin.mongod` and - :binary:`~bin.mongos`, if the {{program}} runs with the - ``--sslAllowInvalidCertificates`` option , the {{program}} will - not attempt to validate the server certificates. This creates a - vulnerability to expired :binary:`~bin.mongod` and :binary:`~bin.mongos` - certificates as well as to foreign processes posing as valid - :binary:`~bin.mongod` or :binary:`~bin.mongos` instances. Only use - ``--sslAllowInvalidCertificates`` on systems where intrusion - is not possible. -... diff --git a/source/includes/extracts-mongo-ssl-options.yaml b/source/includes/extracts-mongo-ssl-options.yaml deleted file mode 100644 index 45e556b0013..00000000000 --- a/source/includes/extracts-mongo-ssl-options.yaml +++ /dev/null @@ -1,37 +0,0 @@ -ref: mongo-ssl-options-mongo -inherit: - ref: _mongo-ssl-options - file: extracts-mongo-ssl-options-base.yaml -replacement: - program: ":binary:`~bin.mongo`" - tools: "" ---- -ref: mongo-ssl-options-configure -inherit: - ref: _mongo-ssl-options - file: extracts-mongo-ssl-options-base.yaml -replacement: - program: ":binary:`~bin.mongo`" - instance: ":binary:`~bin.mongod` or :binary:`~bin.mongos`" -post: | - If your MongoDB deployment uses TLS/SSL, you must also specify the ``--host`` option. - {{program}} verifies that the - hostname of the {{instance}} to which you are connecting matches - the CN or SAN of the {{instance}}'s ``--sslPEMKeyFile`` certificate. - If the hostname does not match the CN/SAN, {{program}} will fail to - connect. ---- -ref: mongo-warning-sslCAFile -inherit: - ref: _warning-sslCAFile - file: extracts-mongo-ssl-options-base.yaml -replacement: - program: ":binary:`~bin.mongo` shell" ---- -ref: clients-warning-sslCAFile -inherit: - ref: _warning-sslCAFile - file: extracts-mongo-ssl-options-base.yaml -replacement: - program: ":binary:`~bin.mongo` shell (or :ref:`MongoDB tools `)" -... diff --git a/source/includes/extracts-ssl-facts.yaml b/source/includes/extracts-ssl-facts.yaml new file mode 100644 index 00000000000..f6a50790d57 --- /dev/null +++ b/source/includes/extracts-ssl-facts.yaml @@ -0,0 +1,68 @@ +ref: ssl-facts-x509-invalid-certificate +content: | + + Starting in MongoDB 3.2.21, if you specify + ``--sslAllowInvalidCertificates`` or ``ssl.allowInvalidCertificates: + true`` when using x.509 authentication, an invalid certificate is + only sufficient to establish a TLS/SSL connection but is + *insufficient* for authentication. +--- +ref: ssl-facts-x509-ca-file +content: | + + If using x.509 authentication, ``--sslCAFile`` or ``ssl.CAFile`` + must be specified. +--- +ref: ssl-facts-see-more +content: | + For more information about TLS/SSL and MongoDB, see + :doc:`/tutorial/configure-ssl` and + :doc:`/tutorial/configure-ssl-clients` . +--- +# This is separate from the mongod/mongos ca file extract since the version is different. +ref: ssl-facts-mongo-shell-ca +content: | + + Starting in version 3.2.6, if ``--sslCAFile`` or ``ssl.CAFile`` is + not specified, the system-wide CA certificate store will be used + when connecting to an TLS/SSL-enabled server. In previous versions + of MongoDB, the :binary:`~bin.mongo` shell exited with an error that + it could not validate the certificate. + + .. include:: /includes/extracts/ssl-facts-x509-ca-file.rst +--- +ref: ssl-facts-invalid-cert-warning-clients +content: | + + .. warning:: + + For TLS/SSL connections to :binary:`~bin.mongod` and + :binary:`~bin.mongos`, avoid using + ``--sslAllowInvalidCertificates`` if possible and only use + ``--sslAllowInvalidCertificates`` on systems where intrusion is + not possible. + + If the :binary:`~bin.mongo` shell (and other + :ref:`mongodb-tools-support-ssl`) runs with the + ``--sslAllowInvalidCertificates`` option, the + :binary:`~bin.mongo` shell (and other + :ref:`mongodb-tools-support-ssl`) will not attempt to validate + the server certificates. This creates a vulnerability to expired + :binary:`~bin.mongod` and :binary:`~bin.mongos` certificates as + well as to foreign processes posing as valid + :binary:`~bin.mongod` or :binary:`~bin.mongos` instances. + +--- +ref: ssl-facts-mongo-ssl-options-configure +content: | + + To connect to a :binary:`~bin.mongod` or :binary:`~bin.mongos` that + uses TLS/SSL, you must also specify the ``--host`` option for the + :binary:`~bin.mongo` shell if you haven't specified a connect + string. The :binary:`~bin.mongo` shell verifies that the hostname of + the :binary:`~bin.mongod` or :binary:`~bin.mongos` matches the CN or + SAN of ``--sslPEMKeyFile`` certificate presented by the + :binary:`~bin.mongod` or :binary:`~bin.mongos`. If the hostname does + not match the CN/SAN, :binary:`~bin.mongo` will fail to connect. + +... diff --git a/source/includes/fact-ssl-supported.rst b/source/includes/fact-ssl-supported.rst deleted file mode 100644 index 4bfe71202a9..00000000000 --- a/source/includes/fact-ssl-supported.rst +++ /dev/null @@ -1,6 +0,0 @@ -.. versionchanged:: 3.0 - - Most MongoDB distributions include support for TLS/SSL. See - :doc:`/tutorial/configure-ssl` and - :doc:`/tutorial/configure-ssl-clients` for more information about - TLS/SSL and MongoDB. diff --git a/source/includes/options-conf.yaml b/source/includes/options-conf.yaml index 5f8afc33cac..49d7f138f8d 100644 --- a/source/includes/options-conf.yaml +++ b/source/includes/options-conf.yaml @@ -686,6 +686,7 @@ directive: setting replacement: program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`" verb: "Enable or disable" + setting: "``allowInvalidCertificates: true``" inherit: name: sslAllowInvalidCertificates program: mongod @@ -1568,7 +1569,7 @@ description: | MongoDB instances if the hostname their certificates do not match the specified hostname. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst replacement: program: ":binary:`~bin.mongod`" diff --git a/source/includes/options-mongo.yaml b/source/includes/options-mongo.yaml index a12c4f22b4d..1382c1664b5 100644 --- a/source/includes/options-mongo.yaml +++ b/source/includes/options-mongo.yaml @@ -213,12 +213,14 @@ args: null directive: option description: | + .. versionchanged:: 3.2.6 + Enables connection to a :binary:`~bin.mongod` or :binary:`~bin.mongos` that has TLS/SSL support enabled. - .. include:: /includes/extracts/mongo-ssl-options-mongo.rst + .. include:: /includes/extracts/ssl-facts-mongo-shell-ca.rst - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongo @@ -236,7 +238,7 @@ description: | :setting:`~net.ssl.CAFile` enabled *without* :setting:`~net.ssl.allowConnectionsWithoutCertificates`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongo @@ -254,7 +256,7 @@ description: | specify the {{role}} option, the {{program}} will prompt for a passphrase. See :ref:`ssl-certificate-password`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongo @@ -266,11 +268,9 @@ description: | from the Certificate Authority. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/extracts/mongo-ssl-options-mongo.rst - - .. include:: /includes/extracts/mongo-warning-sslCAFile.rst + .. include:: /includes/extracts/ssl-facts-mongo-shell-ca.rst - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- @@ -284,7 +284,7 @@ description: | List. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongo @@ -302,15 +302,18 @@ directive: option description: | Bypasses the validation checks for server certificates and allows - the use of invalid certificates. When using the - :setting:`~net.ssl.allowInvalidCertificates` setting, MongoDB logs as a - warning the use of the invalid certificate. + the use of invalid certificates to connect. + + .. note:: + + .. include:: /includes/extracts/ssl-facts-x509-invalid-certificate.rst - .. include:: /includes/extracts/mongo-ssl-options-mongo.rst + .. include:: /includes/extracts/ssl-facts-invalid-cert-warning-clients.rst - .. include:: /includes/extracts/mongo-warning-sslCAFile.rst + When using the :setting:`~net.ssl.allowInvalidCertificates` setting, + MongoDB logs as a warning the use of the invalid certificate. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongo diff --git a/source/includes/options-mongod.yaml b/source/includes/options-mongod.yaml index f5b8bd97980..f54f3fdeb3a 100644 --- a/source/includes/options-mongod.yaml +++ b/source/includes/options-mongod.yaml @@ -598,7 +598,9 @@ description: | - Recommended. Send the x.509 certificate for authentication and accept only x.509 certificates. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-x509-ca-file.rst + + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongod @@ -1183,7 +1185,7 @@ description: | {{option}}. By default, {{role}} is disabled. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: verb: "Enables" @@ -1226,7 +1228,9 @@ description: | - The server uses and accepts only TLS/SSL encrypted connections. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-x509-ca-file.rst + + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: @@ -1244,7 +1248,7 @@ description: | You must specify {{role}} when TLS/SSL is enabled. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: intro: "Specifies the" @@ -1264,7 +1268,7 @@ description: | specify the {{role}} option, the {{program}} will prompt for a passphrase. See :ref:`ssl-certificate-password`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: intro: "Specifies the" @@ -1285,7 +1289,9 @@ description: | authentication, the cluster uses the ``.pem`` file specified in the {{pemKeyOption}} {{directive}}. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-x509-ca-file.rst + + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: pemKeyOption: ":option:`--sslPEMKeyFile`" @@ -1308,7 +1314,7 @@ description: | {{role}} option, the {{program}} will prompt for a passphrase. See :ref:`ssl-certificate-password`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: intro: "Specifies the" @@ -1323,9 +1329,9 @@ description: | from the Certificate Authority. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-x509-ca-file.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst - .. include:: /includes/warning-x509-requires-sslCAfile.rst optional: true replacement: intro: "Specifies the" @@ -1340,7 +1346,7 @@ description: | List. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: intro: "Specifies the" @@ -1351,14 +1357,19 @@ args: null directive: option description: | - {{verb}} the validation checks for TLS/SSL certificates on other servers - in the cluster and allows the use of invalid certificates. + {{verb}} the validation checks for TLS/SSL certificates on other + servers in the cluster and allows the use of invalid certificates to + connect. + + .. note:: + + .. include:: /includes/extracts/ssl-facts-x509-invalid-certificate.rst When using the {{role}} setting, MongoDB logs a warning regarding the use of the invalid certificate. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true replacement: verb: "Bypasses" @@ -1381,7 +1392,7 @@ description: | Use the {{role}} option if you have a mixed deployment that includes clients that do not or cannot present certificates to the {{program}}. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst replacement: verb: "Disables" old_name: "``--sslWeakCertificateValidation``" @@ -1401,7 +1412,7 @@ description: | to other members if the hostnames in their certificates do not match their configured hostname. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: mongod diff --git a/source/includes/options-shared.yaml b/source/includes/options-shared.yaml index dd1eff4b65c..25e8ea083ff 100644 --- a/source/includes/options-shared.yaml +++ b/source/includes/options-shared.yaml @@ -127,7 +127,7 @@ description: | Enables connection to a :binary:`~bin.mongod` or :binary:`~bin.mongos` that has TLS/SSL support enabled. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -142,8 +142,6 @@ description: | from the Certificate Authority. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/fact-ssl-supported.rst - .. warning:: For TLS/SSL connections (``--ssl``) to :binary:`~bin.mongod` and @@ -156,6 +154,7 @@ description: | CA file to validate the server certificates in cases where intrusion is a possibility. + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -175,7 +174,7 @@ description: | :setting:`~net.ssl.CAFile` enabled *without* :setting:`~net.ssl.allowConnectionsWithoutCertificates`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -195,7 +194,7 @@ description: | the {{role}} option, the {{program}} will prompt for a passphrase. See :ref:`ssl-certificate-password`. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -210,7 +209,7 @@ description: | List. Specify the file name of the :file:`.pem` file using relative or absolute paths. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -228,7 +227,11 @@ description: | :setting:`~net.ssl.allowInvalidCertificates` setting, MongoDB logs as a warning the use of the invalid certificate. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-x509-invalid-certificate.rst + + .. include:: /includes/extracts/ssl-facts-invalid-cert-warning-clients.rst + + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared @@ -243,7 +246,7 @@ description: | {{program}} to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst optional: true --- program: _shared diff --git a/source/reference/method/cursor.max.txt b/source/reference/method/cursor.max.txt index 7a2e6c784a7..8e677ebc817 100644 --- a/source/reference/method/cursor.max.txt +++ b/source/reference/method/cursor.max.txt @@ -67,9 +67,15 @@ Index Bounds ~~~~~~~~~~~~ If you use :method:`~cursor.max()` with :method:`~cursor.min()` to -specify a range, the index bounds specified in -:method:`~cursor.min()` and :method:`~cursor.max()` -must both refer to the keys of the same index. +specify a range: + +- the index bounds specified in :method:`~cursor.min()` and + :method:`~cursor.max()` must both refer to the keys of the same index. + +- the bound specified by :method:`~cursor.max()` must be greater than + the bound specified by :method:`~cursor.min()`. + + .. versionchanged:: 3.2.21 ``max()`` without ``min()`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -131,6 +137,13 @@ The collection has the following indexes: :method:`~cursor.min()` limits the query to the documents that are at or above the index key bound of ``price`` equal to ``1.39``: + + .. note:: + + .. versionchanged:: 3.2.21 + + The bound specified by :method:`~cursor.max()` must be greater + than the bound specified by :method:`~cursor.min()`. .. code-block:: javascript diff --git a/source/reference/method/cursor.min.txt b/source/reference/method/cursor.min.txt index 07f24a23899..924d73d08b3 100644 --- a/source/reference/method/cursor.min.txt +++ b/source/reference/method/cursor.min.txt @@ -68,9 +68,15 @@ Index Bounds ~~~~~~~~~~~~ If you use :method:`~cursor.min()` with :method:`~cursor.max()` to -specify a range, the index bounds specified in -:method:`~cursor.min()` and :method:`~cursor.max()` must both refer -to the keys of the same index. +specify a range: + +- the index bounds specified in :method:`~cursor.min()` and + :method:`~cursor.max()` must both refer to the keys of the same index. + +- the bound specified by :method:`~cursor.max()` must be greater than + the bound specified by :method:`~cursor.min()`. + + .. versionchanged:: 3.2.21 ``min()`` without ``max()`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -136,6 +142,13 @@ The collection has the following indexes: :method:`~cursor.max()` limits the query to the documents that are below the index key bound of ``price`` equal to ``1.99``: + .. note:: + + .. versionchanged:: 3.2.21 + + The bound specified by :method:`~cursor.max()` must be greater + than the bound specified by :method:`~cursor.min()`. + .. code-block:: javascript db.products.find().min( { price: 1.39 } ).max( { price: 1.99 } ).hint( { price: 1 } ) diff --git a/source/reference/operator/meta/max.txt b/source/reference/operator/meta/max.txt index 91f17d8e9f6..40b22cb623e 100644 --- a/source/reference/operator/meta/max.txt +++ b/source/reference/operator/meta/max.txt @@ -57,9 +57,15 @@ index on ``_id`` may be better. Index Bounds ~~~~~~~~~~~~ -If you use :operator:`$max` with :operator:`$min` to specify a range, -the index bounds specified in :operator:`$min` and :operator:`$max` -must both refer to the keys of the same index. +If you use :operator:`$max` with :operator:`$min` to specify a range: + +- the index bounds specified in :operator:`$min` and :operator:`$max` + must both refer to the keys of the same index. + +- the bound specified by :operator:`$max` must be greater than + the bound specified by :operator:`$min`. + + .. versionchanged:: 3.2.21 ``$max`` without ``$min`` ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -116,6 +122,13 @@ Use :operator:`$max` alone or in conjunction with :operator:`$min` to limit results to a specific range for the *same* index, as in the following example: +.. note:: + + .. versionchanged:: 3.2.21 + + The bound specified by :operator:`$max` must be greater than the + bound specified by :operator:`$min`. + .. code-block:: javascript db.collection.find().min( { age: 20 } ).max( { age: 25 } ) diff --git a/source/reference/operator/meta/min.txt b/source/reference/operator/meta/min.txt index 9e4b1c981c4..f05e0ff0139 100644 --- a/source/reference/operator/meta/min.txt +++ b/source/reference/operator/meta/min.txt @@ -58,8 +58,14 @@ Index Bounds ~~~~~~~~~~~~ If you use :operator:`$max` with :operator:`$min` to specify a range, -the index bounds specified in :operator:`$min` and :operator:`$max` -must both refer to the keys of the same index. + +- the index bounds specified in :operator:`$min` and :operator:`$max` + must both refer to the keys of the same index. + +- the bound specified by :operator:`$max` must be greater than + the bound specified by :operator:`$min`. + + .. versionchanged:: 3.2.21 ``$min`` without ``$max`` ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -116,6 +122,13 @@ You can use :operator:`$min` in conjunction with :operator:`$max` to limit results to a specific range for the *same* index, as in the following example: +.. note:: + + .. versionchanged:: 3.2.21 + + The bound specified by :operator:`$max` must be greater than the + bound specified by :operator:`$min`. + .. code-block:: javascript db.collection.find().min( { age: 20 } ).max( { age: 25 } ) diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt index 15436df7d47..5420d296917 100644 --- a/source/reference/parameters.txt +++ b/source/reference/parameters.txt @@ -130,7 +130,7 @@ Authentication Parameters membership authentication ` to minimize downtime. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst .. code-block:: sh @@ -256,7 +256,7 @@ Authentication Parameters ``requireSSL``. Useful during :doc:`rolling upgrade to TLS/SSL ` to minimize downtime. - .. include:: /includes/fact-ssl-supported.rst + .. include:: /includes/extracts/ssl-facts-see-more.rst .. code-block:: sh diff --git a/source/tutorial/configure-ssl-clients.txt b/source/tutorial/configure-ssl-clients.txt index 205fbe54fd7..7e020c52676 100644 --- a/source/tutorial/configure-ssl-clients.txt +++ b/source/tutorial/configure-ssl-clients.txt @@ -48,9 +48,7 @@ settings, including: - :option:`--sslCAFile ` with the name of the :file:`.pem` file that contains the certificate from the Certificate Authority (CA). -.. include:: /includes/extracts/mongo-ssl-options-configure.rst - -.. include:: /includes/extracts/clients-warning-sslCAFile.rst +.. include:: /includes/extracts/ssl-facts-mongo-ssl-options-configure.rst For a complete list of the :binary:`~bin.mongo` shell's TLS/SSL settings, see :ref:`mongo-shell-ssl`. @@ -68,7 +66,7 @@ server certificates. mongo --ssl --host hostname.example.com --sslCAFile /etc/ssl/ca.pem -.. include:: /includes/extracts/mongo-ssl-options-configure.rst +.. include:: /includes/extracts/ssl-facts-invalid-cert-warning-clients.rst Connect to MongoDB Instance that Requires Client Certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -86,7 +84,7 @@ server certificates. mongo --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem -.. include:: /includes/extracts/mongo-ssl-options-configure.rst +.. include:: /includes/extracts/ssl-facts-invalid-cert-warning-clients.rst Connect to MongoDB Instance that Validates when Presented with a Certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -102,7 +100,7 @@ To connect to a :binary:`~bin.mongod` or :binary:`~bin.mongos` instance that :option:`--sslCAFile `, and a **valid** signed certificate. -.. include:: /includes/extracts/mongo-ssl-options-configure.rst +.. include:: /includes/extracts/ssl-facts-invalid-cert-warning-clients.rst For example, if :binary:`~bin.mongod` is running with weak certificate validation, both of the following :binary:`~bin.mongo` shell clients can diff --git a/source/tutorial/configure-x509-client-authentication.txt b/source/tutorial/configure-x509-client-authentication.txt index 847a7ef696f..878bd047ce5 100644 --- a/source/tutorial/configure-x509-client-authentication.txt +++ b/source/tutorial/configure-x509-client-authentication.txt @@ -31,6 +31,7 @@ Prerequisites .. important:: .. include:: /includes/extracts/security-prereq-configure-x509-client-authentication.rst + Certificate Authority ~~~~~~~~~~~~~~~~~~~~~ @@ -41,6 +42,12 @@ Certificate Authority Client x.509 Certificate ~~~~~~~~~~~~~~~~~~~~~~~~ +.. note:: + + You must have valid x.509 certificates. + + .. include:: /includes/extracts/ssl-facts-x509-invalid-certificate.rst + .. include:: /includes/extracts/x509-certificate-client.rst Procedures diff --git a/source/tutorial/configure-x509-member-authentication.txt b/source/tutorial/configure-x509-member-authentication.txt index f0ecfae9574..0690b1a61a6 100644 --- a/source/tutorial/configure-x509-member-authentication.txt +++ b/source/tutorial/configure-x509-member-authentication.txt @@ -40,6 +40,12 @@ connect and perform operations in the deployment. Member x.509 Certificate ------------------------ +.. note:: + + You must have valid x.509 certificates. + + .. include:: /includes/extracts/ssl-facts-x509-invalid-certificate.rst + Certificate Requirements ~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/tutorial/upgrade-cluster-to-ssl.txt b/source/tutorial/upgrade-cluster-to-ssl.txt index e4e50688778..680f4c3e929 100644 --- a/source/tutorial/upgrade-cluster-to-ssl.txt +++ b/source/tutorial/upgrade-cluster-to-ssl.txt @@ -10,7 +10,6 @@ Upgrade a Cluster to Use TLS/SSL :depth: 1 :class: singlecol -.. include:: /includes/fact-ssl-supported.rst .. important:: .. include:: /includes/extracts/security-prereq-configure-ssl-clients.rst