Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-59402

Avoid silent failure if Replica Set member's X.509 certificate does not contain `O` / `OU` or `DC` attributes



    • Bug
    • Status: Blocked
    • Major - P3
    • Resolution: Unresolved
    • None
    • None
    • None
    • None
    • Security
    • ALL
    • Security 2022-05-02


      Replica Set members are disconnected from each other as soon as all members of a Replica Set are restarted with `clusterAuthMode: sendX509` or `clusterAuthMode: X509` parameters and member's X.509 certificate does not contain `O` / `OU` or `DC` attributes.

      All Replica Set members report `"stateStr" : "(not reachable/healthy)"` and `"lastHeartbeatMessage" : "x.509 authentication is disabled."` messages in `rs.status()`.

      For Ops Manager Automation this will mean that it can't continue managing such MongoDB Server deployment (as it can't connect to that MongoDB Server deployment, same as all Replica Set members can't connect to each other).

      Troubleshooting / Findings,
      We have very specific requirements for member's X.509 certificate, it should contain `O` / `OU` or `DC` attributes in it,

      The Distinguished Name (DN), found in the member certificate's subject, must specify a non-empty value for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC)

      However, if member's X.509 certificate is not correct (doesn't have `O` / `OU` or `DC` attributes in it) then such MongoDB Server process will fail silently and will NOT produce any log saying that Replica Set member's X.509 certificate is not correct.

      MongoDB Server process will also produce misleading `x.509 authentication is disabled` error once Replica Set member will try to connect to it (X.509 authentication is actually enabled, it is just member's X.509 certificate is incorrect).

      What we need from this SERVER ticket,

      • Let's raise a clear error about missing `O` / `OU` or `DC` attributes on MongoDB Server process startup if it is started with `clusterAuthMode: sendX509` or `clusterAuthMode: X509` parameters.
      • Or, perhaps it would be even better to log a clear error AND NOT start MongoDB Server process configured with `clusterAuthMode: sendX509` or `clusterAuthMode: X509` parameters if member's X.509 certificate does not contain `O` / `OU` or `DC` attributes?
        • The idea is to indicate to the user/automation that this MongoDB Server process is not functional for a Replica Set (as it will be disconnected from each Replica Set member), so the user/automation can see the issue quicker and hence will act on it quicker (as of now it is very hard to spot the issue with missing `O` / `OU` or `DC` attributes in member's X.509 certificate).

      Thanks in advance,




            backlog-server-security Backlog - Security Team
            alexey.matyushin@mongodb.com Alexey Matyushin
            0 Vote for this issue
            4 Start watching this issue