I added some variables to the mongodb-org-3.2 role:
mongodb_ssl_enabled: False
mongodb_ssl_letsencrypt_managed: True
# Options: disabled, requireSSL, allowSSL, preferSSL
mongodb_ssl_mode: requireSSL
mongodb_ssl_certkey_file: /etc/pki/mongodb/mongodb.pem
mongodb_ssl_CA_file: /etc/ssl/certs/ca-certificates.crt
mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'
The corresponding configuration section, under net::
{% if mongodb_ssl_enabled %}
ssl:
mode: {{ mongodb_ssl_mode }}
PEMKeyFile: '{{ mongodb_ssl_certkey_file }}'
CAFile: '{{ mongodb_ssl_CA_file }}'
disabledProtocols: {{ mongodb_ssl_disabled_protocols }}
allowConnectionsWithoutCertificates: {{ mongodb_ssl_allowConnectionsWithoutCertificates }}
{% endif %}
The configuration for the d4science cluster should be, initially:
ssl:
mode: preferSSL
PEMKeyFile: /etc/pki/mongodb/mongodb.pem
CAFile: /etc/ssl/certs/ca-certificates.crt
disabledProtocols: TLS1_0,TLS1_1
allowConnectionsWithoutCertificates: true
The /etc/pki/mongodb/mongodb.pem file will be put in place by a letsencrypt hook script.
preferSSL should be changed to requireSSL after we've verified that all the client applications connect over SSL correctly.
allowConnectionsWithoutCertificates can be set to false if we want to verify the clients certificates: in that case, the clients must be configured to present their certificate.
Updated by 
