Upgrading from 3.4 to 3.6 breaks internal membership authentication

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Incomplete
    • Priority: Major - P3
    • None
    • Affects Version/s: 3.4.16, 3.6.12
    • Component/s: None
    • None
    • ALL
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      I have a 3 member replica set running on Windows using SSL for internal membership authentication, which has been working well for a couple of years.

      I never had issues upgrading before, but this time when I upgraded one of the secondaries to 3.6, the upgraded secondary became unable to authenticate the other members that are still on 3.4.

      Here is the log message on the member that has been upgraded to 3.6 (m1.mydomain.com):

       

      2019-04-21T00:12:19.123Z I ACCESS   [conn7] Failed to authenticate CN=m2.mydomain.com,OU=Dept1,O=MyDomain,ST=NY,C=US@$external from client 162.221.55.62:53006 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=m2.mydomain.com,OU=Dept1,O=MyDomain,ST=NY,C=US@$external
2019-04-21T00:12:19.173Z I ACCESS   [conn7] Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "myReplicaSet", configVersion: 438347, from: "m2.mydomain.com:40000", fromId: 3, term: 644, $replData: 1, $db: "admin" }

       

       

      In the members that were not upgraded, I saw several of this message:

      2019-04-20T10:51:47.427Z I REPL     [ReplicationExecutor] Error in heartbeat request to m1.mydomain.com:40000; Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "myReplicaSet", configVersion: 438343, from: "m4.mydomain.com:40000", fromId: 6, term: 640, $replData: 1, $db: "admin" }

      My certificates look right and they are working on version 3.4:

      CN=m4.mydomain.com,OU=Dept1,O=MyDomain,ST=NY,C=US
      CN=m2.mydomain.com,OU=Dept1,O=MyDomain,ST=NY,C=US
      CN=m1.mydomain.com,OU=Dept1,O=MyDomain,ST=NY,C=US

      Here's the replica set config file.

       

      storage:  
    dbPath: c:\mongossl\data
systemLog:  
    destination: file
    path: c:\mongossl\log\mongod.log
    logAppend: true
    timeStampFormat: iso8601-utc
replication:  
    replSetName: myReplicaSet
net:  
    port: 40000
    bindIpAll: true
    ssl:
        mode: preferSSL
        PEMKeyFile: c:\certs\m1.pem
        CAFile: c:\certs\ca.crt
        clusterFile: c:\certs\m1.pem
security:  
    authorization: disabled
    clusterAuthMode: x509

       

      The issue doesn't happen if I add transitionToAuth to the security section of the config file. 

       

       

        1. m1.log
          65 kB
          Cassio Mosqueira
        2. m2.log
          27 kB
          Cassio Mosqueira
        3. m4.log
          29 kB
          Cassio Mosqueira

            Assignee:
            Danny Hatcher (Inactive)
            Reporter:
            Cassio Mosqueira
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: