I have a flow that uses node-red-node-mongodb to connect to a mongodb database. I want to use this flow in node-red on IBM cloud. Unfortunately mongodb running in IBM cloud foundry requires the use of a TLS certificate. I cannot find any way of configuring this in node-red-node-mongodb. Does anyone have any ideas how to get round this, either from the node-red end or from the mongodb end?
In the mongodb configuration node, the "Connect options" are the options directly added to the end of the connection string. So, by looking at some related documentation, https://mongodb.github.io/node-mongodb-native/3.6/tutorials/connect/tls/, it seems that adding tls=true and adding the other options needed (like tls=true&otheroption=... should be the answer. Depending on the certificate needed, the other connection options to add are described under the first tls option in http://mongodb.github.io/node-mongodb-native/3.6/api/MongoClient.html#MongoClient, like tlsCAFile, tlsCertificateKeyFile, or tlsCertificateKeyFilePassword. (Or look at some more descriptions here: https://docs.mongodb.com/manual/reference/connection-string/#tls-options)
The remaining information to find out, is how to properly encode the paths in the Connect Options. Probably URL encoded, and a path relative to the Node-RED editor's working directory. Absolute path may be easier to debug. The first link showed an example using a path to a certificate file, but the options were not all added in the connection string, but I found that most of them are parsed correctly even if not added as an object.
I suggest you try out using the Connect option useUnifiedTopology=true first, as it changes the way the connection and discovery process is handled in the driver the node-red-node-mongodb uses, to a more recent and robust process without any updates, and might handle your recent MongoDB deployment easier. The structure of node-red-node-mongodb node mostly didn't change from when they used really older versions back in 2015, but mongodb has changed.
Sadly, I don't use certificates for my configuration, but maybe by showing how you entered the connection options we could find out if there was an error or not. Or, could you describe what worked or not, and what you had as error? For now, there is nothing more with the original post or your reply to help us out.
I have had another look at this and got a bit further.
In the resources list on ibm cloud I clicked on my mongodb instance in the "services" section. This brings up a page with info about the service. At the bottom of that page is a section called endpoints. Click on the mongodb tab in that section.
In the information about public connections. Take a note of one of the hostname and port combinations and download the TLS certificate.
I fed that information into a mongo client on a linux box as was able to connect, like this.
That is as far as I have got. It complains about the server being a slave when I try to do things but that is just a parameter to allow slave data that I need to specify somewhere.
Looking at the certificate using openssl I can see that it is a self signed certificate containing the servers public key. That is why you need to fool mongo into thinking it is a trusted CA by using the --tlsCAFile parameter.
I would hope that feeding this same information into the node-red mongodb config would work but I have not tried it yet.
The next step is encoding this back into a mongodb url, and properly handling the replset stuff.
I think that if you're going to use the node for a little moment, adding this will still save you a lot of trouble, it just helps. It made me reconnections way more robust, is the recommended option by MongoDB's tutorials, and they warned that this will be enabled as default mode for some versions (years) yet it should be the only mode in their 4.0 driver soon to be released.