So we have deployed a self-hosted instance of AppSmith on Docker using an external MongoDB replica set within Docker as well. We are using an external MongoDB instance for backup and redundancy measures. We need to encrypt and secure our MongoDB deployment, so we enabled TLS and deployed the certificates to each instance of MongoDB in the replica set.
After configuring and pointing our mongod.conf file to the locations of the certificate and key files, I was able to successfully connect to the MongoDB from the container using the following syntax:
mongosh --authenticationDatabase “appsmith” --host <hostname>
--tls --tlsCAFile /location/of/the/crtfile.crt --tlsCertificateKeyFile /location/of/the/keyfile.pem -u <account>
-p <password>
I was also able to connect to the database via MongoDB Compass using the following URI connection string:
mongodb://<account>
:<password>
@<hostname/IP>/appsmith?tls=true&tlsCAFile=/location/of/the/crtfile.crt&tlsCertificateKeyFile=/location/of/the/keyfile.pem&tlsAllowInvalidHostnames=true
When disabling TLS and encryption on the MongoDB instance, we are able to successfully spin up the AppSmith container with the following URI string in the APPSMITH_MONGODB_URI= variable:
mongodb://<account>
:<password>
@<hostname/IP>/appsmith?tls=false
Before enabling TLS and encryption on MongoDB, I made sure that the container for AppSmith has a copy of both the certificate file and the key file for the primary instance within the mongo replica set by mounting a volume to the AppSmith container where the files are stored via the docker-compose file and pointing to that mount point within the URI.
Once TLS and encryption is enabled on MongoDB, I use the URI connection string that I use within MongoDB Compass, but I am unable to connect. The AppSmith container times out because when it is communicating with MongoDB, it never provides MongoDB with the certificate and because of this, Mongo rejects and ends the connection.
I tried to search the community for answers, but nothing seems to be definitive. I did find the following post in regards to using a tlsCAFile with a deployment:
However, the answers provided within this post seem incomplete for the deployment that we have in our environment. I was hoping that since I am posting this in the how do I do x category, I would be able to get a more fleshed out answer or a how-to guide in regards to using a TLS/encrypted external MongoDB instance with AppSmith and how this can be configured within the AppSmith .env file so that AppSmith can appropriately provide the certificate and key files to MongoDB for authentication. Any help would be appreciated. Thanks!