Robomongo: Enable SSH and SSL at the same time

Hi @pinkplus, thanks a lot for your interest in Robomongo. We will consider your request.

• Can you tell us the reason why you are using double layer security? I would assume that the reason is you cannot reach to mongo-host directly and you are using SSH to jump-server just to reach mongo-host, is that right?
• As I understand, currently you can connect using the workaround you specified? (SSH port forwarding via terminal + SSL via Robomongo)

To both of your questions, yes.

• Mongo server is only accessible from jump server.
• SSH port forwarding via terminal + SSL via Robomongo works.

Good to hear at least you are able to do your work with workaround.
We have considered this option and have done a quick test with enabling SSH and SSL in the code and with same network config as yours , it worked. But it still requires some coding, and testing.

We decided to include this not in the next but the following release. (Robomongo 1.0)

Please follow the latest releases and news here:
https://twitter.com/Robomongo

Warm Regards from Robomongo Team

Sounds really good. Thanks!

One problem with manually using local SSH port forwarding to set up a tunnel is that it means you can't use SSL hostname validation, as Robomongo doesn't let you override the hostname that it uses to validate the SSL certificate.

Hi @elyscape , that is correct. We still plan to include enabling SSH & SSL in the next release but unfortunately next release is being delayed to after new year due to major changes caused by new Replica Set feature.

We have tested two solutions for you and they worked in our labs. Third solution is providing beta version of Robomongo. Details below.

Solution-1:

This is kind of quick and dirty one. This basically disables the hostname validation.

Solution-2:

With this solution, we indirectly override the hostname.

Assuming we are using following port forwarding config:
ssh -L 27017:server_hostname:27017 ssh_user@ssh_server_IP

cat /etc/hosts
...
 # this must be the host name specified in SSL certificate
127.0.0.1   server_hostname

This way we manipulate the hostname which is being sent to SSL mongodb server.

Solution-3:

If the problem still exists after first two solutions, it is possible to provide beta version of Robomongo with SSL & SSH enabled. It will not be a version fully tested. But basic SSH & SSL should work, at least it worked in our labs.

I hope first two solution will help. Please let us know.

@pinkplus
If you have any other problems or difficulties working, beta version is also an option for you.

Why is this still not included in Robomongo 1.0?

I second @joelchen

I'm killing myself trying to connect to our Atlas cluster (which requires SSL), but because of the VPC Peering setup is inaccessible from anything other than instances in our VPC. Jump host it is, but I get an error trying to enable SSH and SSL at the same time. FWIW, Mongo Compass allows me to do an SSH+SSL connection.

Any word on the roadmap or where I could download a beta that might let me connect in this way?

Hi guys unfortunately there are some critical features needs to developed which makes this issue to be delayed. However it is possible to provide beta versions.

Can you specify your OS for beta installers?
(Warning: Beta will be on fully tested 1.0 version, but SSH & SSL test is not complete)

@mikeytag , as I understand you would like to use SSH + SSL + Replica Sets.
Replica sets with SSL is fine but for replica sets with SSH there are some limitations. It requires additional development Currently, high priority task is to complete MongoDB 3.4 support. We will consider to work on replica set with SSH limitations with 3.4 support task or after.

Hi @simsekgokhan I'm currently on macOS and would use that to beta anything with Robomongo.

Essentially all I need to do is have Robomongo go through the SSH tunnel and then use the --ssl flag when trying to connect through the tunnel. I'm just doing Direct Connection and not bothering with Replica Sets at all (I just adjust to whoever the Leader is at the time). Atlas also doesn't require any special CA files or anything. I just need the mongo connection line behind the scenes to have --ssl on it, but I can't because Robomongo won't let me checkbox both SSH and SSL at the same time.

I understand that there are a whole lot more things to consider when enabling all the features that are possible on the SSL config. However, would it be feasible to allow them both at the same time but fire a warning that when both SSH and SSL are used only a limited SSL feature set is available (no custom certs, keys, etc)?

@mikeytag , thanks for the details. Please see the beta below:

Robomongo 1.0.1: SSL and SSH can be enabled at the same time for a connection:
robomongo-1.0.1-darwin-x86_64-c73402a.dmg.zip

SSH and SSL features will be fully usable on UI, but we do not know the results in practice.
Please let us know if it works. I hope it will help.

Thank you so much @simsekgokhan!

Here's my results.

1. I first tried the Replica Set mode just for kicks with SSH and SSL using the "Self Signed Cert" option and nothing else on the SSL screen. This config failed but I expected it to as the replica set connection seems to be a bit more advanced.

2. I next switched to Direct Connection + SSH + SSL with "Self Signed Cert" chosen and was able to successfully connect to my Atlas leader (and any other Atlas node for that matter)!

3. I next tried Direct Connection + SSH + SSL with "Use CA Certificate" chosen and gave a CA certificate path of: /private/etc/ssl/cert.pem (I'm not sure if this is the CA path on macOS as I'm more used to locations on *nix). This didn't work as I imagine what RoboMongo is doing is appending --sslCAFile to the connection string on the SSH jump host. I tried giving the path to the ca.pem file that I know exists on my Linux SSH host, but Robomongo yells at me and won't let me test or save the config because that path to ca.pem doesn't exist on my Mac, which makes sense.

In short, this build helps me solve my immediate need of connecting to Atlas via direct connection and an SSH jump host. (Thank you!) I would imagine that if anyone else out there had a more complicated setup then it wouldn't work and more fundamental Robomongo changes would need to be made.

@mikeytag
Not a problem, glad to see that at least connection to Atlas is working : )
Thanks a lot for sharing detailed results.

I created new ticket for SSH & Replica Set support. You can follow here: https://github.com/Studio3T/robomongo/issues/1340 or on twitter https://twitter.com/Robomongo for related updates.

Thanks for https://github.com/Studio3T/robomongo/files/963709/robomongo-1.0.1-darwin-x86_64-c73402a.dmg.zip, but this feature is not available in https://github.com/Studio3T/robomongo/releases/download/v1.1.0-beta/robomongo-1.1.0-beta-darwin-x86_64-e1227bf.dmg.

Please include this feature into upcoming 1.1.0 final release.

Would be nice to have SSH tunnel and SSL support soon so that we can connect to MongoDB Atlas via proxy machine. This works fine with MongoDB Compass, but that tool is just not good for what Robomongo is great at. Thanks

@joelchen , we have included SSH & SSL in latest release 1.1. But, as noted before, it is not expected work with Replica Sets. Fyi.

@tnokovski , it is possible to use SSH & SSL at the same time in the latest release 1.1 but, unfortunately, it will work only with direct connection to any of the cluster member. Currently, feature Replica Set & SSH & SSL requires non-trivial development work.