new feature:

- sslAllowInvalidHostnames
AUTH and SSL support added

README.md

@@ -501,6 +501,10 @@ Default: <>
 Set to true to disable mandatory SSL client authentication
 Default: False
 
+##### `ssl_invalid_hostnames`
+Set to true to disable fqdn SSL cert check
+Default: False
+
 ##### `service_manage`
 Whether or not the MongoDB service resource should be part of the catalog.
 Default: true

lib/facter/is_master.rb

@@ -20,6 +20,18 @@ def get_mongod_conf_file
         unless config['net.port'].nil?
           mongoPort = "--port #{config['net.port']}"
         end
+        if config['net.ssl.mode'] == "requireSSL"
+          ssl = "--ssl --host #{Facter.value(:fqdn)}"
+        end
+        unless config['net.ssl.PEMKeyFile'].nil?
+          sslkey = "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}"
+        end
+        unless config['net.ssl.CAFile'].nil?
+          sslca = "--sslCAFile #{config['net.ssl.CAFile']}"
+        end
+        unless config['net.ipv6'].nil?
+          ipv6 = "--ipv6"
+        end
       else # It has to be a key-value config file
         config = {}
         File.readlines(file).collect do |line|
@@ -29,15 +41,26 @@ def get_mongod_conf_file
         unless config['port'].nil?
           mongoPort = "--port #{config['port']}"
         end
+        if config['ssl'] == "requireSSL"
+          ssl = "--ssl --host #{Facter.value(:fqdn)}"
+        end
+        unless config['sslcert'].nil?
+          sslkey = "--sslPEMKeyFile #{config['sslcert']}"
+        end
+        unless config['sslca'].nil?
+          sslca = "--sslCAFile #{config['sslca']}"
+        end
+        unless config['ipv6'].nil?
+          ipv6 = "--ipv6"
+        end
       end
       e = File.exists?('/root/.mongorc.js') ? 'load(\'/root/.mongorc.js\'); ' : ''
 
       # Check if the mongodb server is responding:
-      Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"")
+      Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"")
 
       if $?.success?
-        mongo_output = Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.isMaster())\"")
-        JSON.parse(mongo_output.gsub(/\w+\(.+?\)/, '"foo"'))['ismaster'] ||= false
+        Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}db.isMaster().ismaster\"")
       else
         'not_responding'
       end

lib/puppet/provider/mongodb.rb

@@ -41,6 +41,7 @@ def self.get_mongo_conf
       config_hash['bindip'] = config['net.bindIp']
       config_hash['port'] = config['net.port']
       config_hash['ipv6'] = config['net.ipv6']
+      config_hash['allowInvalidHostnames'] = config['net.ssl.allowInvalidHostnames']
       config_hash['ssl'] = config['net.ssl.mode']
       config_hash['sslcert'] = config['net.ssl.PEMKeyFile']
       config_hash['sslca'] = config['net.ssl.CAFile']
@@ -57,6 +58,7 @@ def self.get_mongo_conf
       config_hash['port'] = config['port']
       config_hash['ipv6'] = config['ipv6']
       config_hash['ssl'] = config['sslOnNormalPorts']
+      config_hash['allowInvalidHostnames'] = config['allowInvalidHostnames']
       config_hash['sslcert'] = config['sslPEMKeyFile']
       config_hash['sslca'] = config['sslCAFile']
       config_hash['auth'] = config['auth']
@@ -78,11 +80,17 @@ def self.ssl_is_enabled(config=nil)
     ssl_mode.nil? ? false : ssl_mode != 'disabled'
   end
 
+  def self.ssl_invalid_hostnames(config=nil)
+    config ||= get_mongo_conf
+    config['allowInvalidHostnames']
+  end
+
   def self.mongo_cmd(db, host, cmd)
     config = get_mongo_conf
 
     args = [db, '--quiet', '--host', host]
     args.push('--ipv6') if ipv6_is_enabled(config)
+    args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config)
 
     if ssl_is_enabled(config)
       args.push('--ssl')
@@ -139,6 +147,7 @@ def self.db_ismaster
     out.gsub!(/ObjectId\(([^)]*)\)/, '\1')
     out.gsub!(/ISODate\((.+?)\)/, '\1 ')
     out.gsub!(/^Error\:.+/, '')
+    out.gsub!(/^.*warning\:.+/, '') # remove warnings if sslAllowInvalidHostnames is true
     res = JSON.parse out
 
     return res['ismaster']
@@ -185,6 +194,7 @@ def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
       out.gsub!(/#{data_type}\(([^)]*)\)/, '\1')
     end
     out.gsub!(/^Error\:.+/, '')
+    out.gsub!(/^.*warning\:.+/, '') # remove warnings if sslAllowInvalidHostnames is true
     out
   end
 

lib/puppet/provider/mongodb_replset/mongo.rb

@@ -275,6 +275,7 @@ def self.mongo_command(command, host=nil, retries=4)
 
     #Hack to avoid non-json empty sets
     output = "{}" if output == "null\n"
+    output = "{}" if output == "\nnull\n"
 
     # Parse the JSON output and return
     JSON.parse(output)

manifests/server.pp

@@ -73,6 +73,7 @@
   $ssl_key          = undef,
   $ssl_ca           = undef,
   $ssl_weak_cert    = false,
+  $ssl_invalid_hostnames  = false,
   $restart          = $mongodb::params::restart,
   $storage_engine   = undef,
 
@@ -97,6 +98,7 @@
   if $ssl {
     validate_string($ssl_key, $ssl_ca)
     validate_bool($ssl_weak_cert)
+    validate_bool($ssl_invalid_hostnames)
   }
 
   if ($ensure == 'present' or $ensure == true) {

manifests/server/config.pp

@@ -66,6 +66,7 @@
   $ssl_key          = $mongodb::server::ssl_key
   $ssl_ca           = $mongodb::server::ssl_ca
   $ssl_weak_cert    = $mongodb::server::ssl_weak_cert
+  $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames
   $storage_engine   = $mongodb::server::storage_engine
   $version          = $mongodb::server::version
 
@@ -145,6 +146,7 @@
       # - $ssl_ca
       # - $ssl_key
       # - $ssl_weak_cert
+      # - $ssl_invalid_hostnames
       # - $syslog
       # - $system_logrotate
       # - $verbose
@@ -201,6 +203,7 @@
       # - $ssl_ca
       # - $ssl_key
       # - $ssl_weak_cert
+      # - $ssl_invalid_hostnames
       # - storage_engine_internal
       # - $syslog
       # - $verbose

templates/mongodb.conf.2.6.erb

@@ -88,7 +88,7 @@ security.javascriptEnabled: <%= @noscripting %>
 
 #Net
 <% if @ipv6 -%>
-net.ipv6=<%= @ipv6 %>
+net.ipv6: <%= @ipv6 %>
 <% end -%>
 <% if @bind_ip -%>
 net.bindIp:  <%= Array(@bind_ip).join(',') %>
@@ -117,6 +117,9 @@ net.ssl.CAFile: <%= @ssl_ca %>
 <% if @ssl_weak_cert -%>
 net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %>
 <% end -%>
+<% if @ssl_invalid_hostnames -%>
+net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
+<% end -%>
 <% end -%>
 
 #Replication

templates/mongodb.conf.erb

@@ -196,4 +196,7 @@ sslCAFile = <%= @ssl_ca %>
 # - after 3.0.0: sslAllowConnectionsWithoutCertificates
 sslWeakCertificateValidation = <%= @ssl_weak_cert %>
 <% end -%>
+<% if @ssl_invalid_hostnames -%>
+net.ssl.allowInvalidHostnames = <%= @ssl_invalid_hostnames %>
+<% end -%>
 <% end -%>