I am planing the migrating of my production Meteor application database, currently on Compose.io MongoDB Classic (v3.0) to their “Compose for MongoDB” service (v3.6), due to the MongodB Classic EOL 30 June this year. Excited to be able to use SSL encryption to secure traffic between the db and the application. I have created an empty database to experiment with. So far, I have successfully connected my application (running locally) to the new MongoDB database using MONGO_URL connection strings with SSL enabled. Because they use Lets Encrypt, I did not need to provide a copy of a certificate. All is good.
BUT, I cannot figure out how to also connect to their the oplog add-in, also with SSL enabled. It seems that their oplog add-in still requires the use of a self-signed certificate, instead of using Lets Encrypt. How can I configure my Meteor application to use the certificate-less connection for MONGO_URL (which I have got working), but at the same time provide the self-signed certificate for the MONGO_OPLOG_URL connection? Has anyone out there figured this out? I have looked at the
Mongo.setConnectionOptions api, but that does not seem configurable to apply only to the oplog connection made by the oplog observe driver.
I have contacted Compose.io support, but appear to be having difficulty in describing what I want to achieve. I assume wanting to use SSL for both the MONGO_URL and MONGO_OPLOG_URL connections is a common use case, so I would be very grateful if someone in the community can give me some pointers. Thanks!
Update (3rd April 2020): I removed and re-added the oplog add-in, but this time without SSL (but still using SSL for the MONGO_URL connection). Using the new MONGO_OPLOG_URL connection string (ie. now without the
?ssl=true parameter) worked seemingly fine. So, that seems to confirm my understanding of the underlying problem … Compose.io uses two different mechanisms to SSL- secure the main db connection (Lets Encrypt) and the oplog connection (self-signed certificate). Is there a workround in Meteor to handle that (ie. provide a separate cert to the Meteor MongoDB connection used for connecting to the oplog)?