MongoDB SSL Certificate Setup (Node.js)
Connect your Node.js app to MongoDB securely using an SSL certificate from Galaxy Database. Works with the native MongoDB driver and Mongoose.
SSL encrypts the connection between your Node.js app and MongoDB, keeping your data safe in transit. If you're using Galaxy Database, the whole setup takes just a few minutes.
Time Required: About 5 minutes
What you'll need: A Node.js project, a Galaxy Database MongoDB instance, and your SSL certificate file
Using Meteor? Check the Meteor SSL setup guide instead. Meteor handles certificates differently.
Setting Up SSL
Download the SSL Certificate
Open the Galaxy dashboard and navigate to your MongoDB cluster's Overview page. You'll find a download link for the SSL certificate there.
Download the certificate file (usually a .crt or .pem file). You'll reference this file in your app's connection code.
Add the Certificate to Your Project
Create a certs directory in your project root and place the certificate file inside it. This is for local development only:
your-node-app/
├── certs/
│ └── galaxy-mongodb.crt
├── src/
├── package.json
└── .gitignorePublic Repos: Add certs/ to .gitignore
If your repository is public, never commit certificate files. Add certs/ to your .gitignore and use an environment variable for production (covered in the Deploying to Galaxy section below). For private repos, committing the certificate is fine.
Install the MongoDB Driver
If you haven't already, install the MongoDB driver for Node.js:
npm install mongodbnpm install mongooseThis guide covers both options. Pick whichever one your project uses.
Configure the SSL Connection
Point your MongoDB connection to the certificate file. Here's how it works with each driver:
const { MongoClient } = require('mongodb');
const path = require('path');
const certPath = path.resolve('certs/galaxy-mongodb.crt');
const client = new MongoClient(process.env.MONGO_URL, {
tls: true,
tlsCAFile: certPath,
authSource: 'admin',
connectTimeoutMS: 10000,
serverSelectionTimeoutMS: 5000,
});
await client.connect();
console.log('Connected to MongoDB with SSL');const mongoose = require('mongoose');
const path = require('path');
const certPath = path.resolve('certs/galaxy-mongodb.crt');
await mongoose.connect(process.env.MONGO_URL, {
tls: true,
tlsCAFile: certPath,
authSource: 'admin',
connectTimeoutMS: 10000,
serverSelectionTimeoutMS: 5000,
});
console.log('Connected to MongoDB with SSL');Set Your Connection String
Add MONGO_URL as an environment variable in the Galaxy dashboard (under your app's Variables section). The connection string should include ssl=true and authSource=admin:
mongodb://user:password@host1:27017,host2:27017,host3:27017/yourdb?replicaSet=yourReplicaSet&ssl=true&authSource=adminYou'll find the full connection string on your Galaxy Database cluster's Credentials section.
Connection String Parameters
Your MONGO_URL needs specific parameters for SSL to work correctly:
| Parameter | Purpose |
|---|---|
ssl=true | Enables SSL/TLS encryption for the connection |
authSource=admin | Tells MongoDB to authenticate against the admin database |
replicaSet=yourReplicaSet | Identifies your replica set (required for Galaxy Database clusters) |
If you're missing authSource=admin, MongoDB tries to authenticate against your app's database and fails. Always include it when connecting to Galaxy Database.
TLS Options Reference
Here's a quick reference for the TLS options you can pass to the driver:
| Option | Type | Description |
|---|---|---|
tls | boolean | Enables TLS/SSL encryption |
tlsCAFile | string | Path to the certificate authority file |
tlsAllowInvalidCertificates | boolean | Skips certificate validation (not recommended for production) |
connectTimeoutMS | number | How long to wait for a connection before timing out |
serverSelectionTimeoutMS | number | How long to wait for a server to be selected |
Set Reasonable Timeouts
The default serverSelectionTimeoutMS is 30 seconds, which can make debugging slow. Setting it to 5000 (5 seconds) gives you faster feedback when something is misconfigured.
Deploying to Galaxy
Your certificate file needs to be accessible at runtime. You have two options depending on how you manage secrets.
If your repository is private, you can include the certificate file directly in your project (in the certs/ directory). Your app reads it from the filesystem at runtime, just like it does locally. This is the simplest approach.
Private Repos Only
Only commit certificate files to private repositories. If your repo is public (or might become public), use the environment variable method instead.
Prefer to keep the certificate out of version control entirely? Store the certificate content as an environment variable and write it to disk at startup:
const fs = require('fs');
const path = require('path');
const certPath = path.resolve('/tmp/galaxy-mongodb.crt');
if (process.env.MONGO_SSL_CERT && !fs.existsSync(certPath)) {
fs.writeFileSync(certPath, process.env.MONGO_SSL_CERT);
}
// Then use certPath as your tlsCAFileIn the Galaxy dashboard, go to your app's Variables section and add MONGO_SSL_CERT as an environment variable. Paste the full certificate content as the value.
This is the more secure option, especially for teams with open-source repos or strict security policies.
Common Questions
Need a Hand?
If you're having trouble with SSL setup, reach out to Galaxy support. We can verify your certificate configuration and help troubleshoot connection issues.
What's Next?
MongoDB SSL Certificate Setup (Meteor)
Connect your Meteor app to MongoDB securely using an SSL certificate from Galaxy Database. Download the certificate, configure your settings, and deploy with encrypted connections.
MongoDB Oplog Setup
Enable oplog tailing for real-time reactivity in your Meteor apps and better monitoring with Monti APM. This guide walks you through creating an oplog user and configuring your connection.