Compose.io Compose for MongoDB oplog SSL connection

rsbatech · April 3, 2020, 9:55am

Hi all,
I am planing the migrating of my production Meteor application database, currently on Compose.io MongoDB Classic (v3.0) to their “Compose for MongoDB” service (v3.6), due to the MongodB Classic EOL 30 June this year. Excited to be able to use SSL encryption to secure traffic between the db and the application. I have created an empty database to experiment with. So far, I have successfully connected my application (running locally) to the new MongoDB database using MONGO_URL connection strings with SSL enabled. Because they use Lets Encrypt, I did not need to provide a copy of a certificate. All is good.

BUT, I cannot figure out how to also connect to their the oplog add-in, also with SSL enabled. It seems that their oplog add-in still requires the use of a self-signed certificate, instead of using Lets Encrypt. How can I configure my Meteor application to use the certificate-less connection for MONGO_URL (which I have got working), but at the same time provide the self-signed certificate for the MONGO_OPLOG_URL connection? Has anyone out there figured this out? I have looked at the Mongo.setConnectionOptions api, but that does not seem configurable to apply only to the oplog connection made by the oplog observe driver.

I have contacted Compose.io support, but appear to be having difficulty in describing what I want to achieve. I assume wanting to use SSL for both the MONGO_URL and MONGO_OPLOG_URL connections is a common use case, so I would be very grateful if someone in the community can give me some pointers. Thanks!

Update (3rd April 2020): I removed and re-added the oplog add-in, but this time without SSL (but still using SSL for the MONGO_URL connection). Using the new MONGO_OPLOG_URL connection string (ie. now without the ?ssl=true parameter) worked seemingly fine. So, that seems to confirm my understanding of the underlying problem … Compose.io uses two different mechanisms to SSL- secure the main db connection (Lets Encrypt) and the oplog connection (self-signed certificate). Is there a workround in Meteor to handle that (ie. provide a separate cert to the Meteor MongoDB connection used for connecting to the oplog)?

marceloprado · April 3, 2020, 11:45am

Hi @rsbatech, see if this PR would help. We’re discussing a couple of ways to configure mongoDB options.

@filipenevola might be a good person to answer this.

paulishca · April 7, 2020, 1:53pm

Just looping @hanley in. He’s had some recent experience with Compose.
And the relevant conversation: [solved] Mongo error after updating to 1.10.1

hanley · April 7, 2020, 2:32pm

@paulishca We haven’t enabled oplog yet so I’m of no help here.

hanley · April 16, 2020, 12:47pm

Realizing the oplog is recommended for meteor apps we tried enabling it and ran into the same issue with Compose. Someone suggested switching to Atlas so we did. I highly recommend doing so because:

No self-signing certs for the oplog so it was easy to implement
There’s a helpful step-by-step walkthrough, including oplog-specific steps at: https://medium.com/@cfnelson/mongodb-atlas-with-meteor-a-step-by-step-guide-da34093665f4. It’s a little dated but still helpful.
Easy migration (they have several docs to help walk you through migrating from other DB providers including Compose)
Their metrics are miles beyond compose. Everything you need to know about how your database is performing in real time, including automatic indexing suggestions.

rsbatech · April 16, 2020, 2:12pm

Thanks! I was already thinking along the same lines…

mantissue · April 28, 2020, 10:56am

Great articles thanks for sharing this awesome blogs

waldgeist · April 29, 2020, 6:21am

Did you reach out to Compose on this? It seems weird to use two different SSL mechanisms here.