Details
-
Bug
-
Resolution: Works as Designed
-
Major - P3
-
None
-
5.0.9
-
None
-
ALL
-
Hide
This is the relevant part of the config file:
net:port: 27037
bindIpAll: true
tls:mode: preferTLSallowConnectionsWithoutCertificates: true
certificateKeyFile: c:\MongoDB\config\mongo.server.pemCAFile: c:\MongoDB\config\mongo-ca.cerclusterFile: c:\MongoDB\config\mongo.member.pemclusterCAFile: c:\MongoDB\config\mongo.member-ca.cersecurity:clusterAuthMode: x509authorization: enabledRelevant information of the certificates:
openssl x509 -in c:\MongoDB\config\mongo-ca.cer -noout -subjectsubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-caopenssl x509 -in c:\MongoDB\config\mongo.member-ca.cer -noout -subjectsubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-caopenssl x509 -in c:\MongoDB\config\mongo.member.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsageissuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-casubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = mongodb.member, CN = mongodb.memberX509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Client Authenticationopenssl x509 -in c:\MongoDB\config\mongo.server.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsageissuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-casubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = mongodb.server, CN = mongodb.serverX509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Server AuthenticationCertificates are valid:
openssl verify -CAfile mongo.member-ca.cer -verify_name ssl_client mongo.member.pemmongo.member.pem: OKopenssl verify -CAfile mongo-ca.cer -verify_name ssl_server mongo.server.pemmongo.server.pem: OKStart Replica Set members. When the second member starts then I get this error on the first one:
{"t": { "$date": "2022-06-03T15:32:15.267+02:00" },
"s": "I",
"c": "ACCESS",
"id": 20428,
"ctx": "conn898",
"msg": "Failed to authenticate",
"attr": {
"client": "10.80.41.19:64138",
"mechanism": "MONGODB-X509",
"user": "CN=mongodb.member,OU=mongodb.member,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH",
"db": "$external",
"error": {
"code": 11,
"codeName": "UserNotFound",
"errmsg": "Could not find user \"CN=mongodb.member,OU=mongodb.member,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH\" for db \"$external\""
}}}and member remains in SECONDARY state. Apparently the replica set considers the member connection as a normal client connection, which is not the case. (I am not try to connect with any client)
I tied with different certificates (matching O and OU):
openssl x509 -in c:\MongoDB\config\mongo.member.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsageissuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-casubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongodb.memberX509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Client Authenticationopenssl x509 -in c:\MongoDB\config\mongo.server.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsageissuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-casubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongodb.serverX509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Server AuthenticationWith these certificates the ReplicaSet starts up as expected:
{"t": { "$date": "2022-06-03T15:57:21.081+02:00" },
"s": "I",
"c": "ACCESS",
"id": 20429,
"ctx": "conn3",
"msg": "Successfully authenticated",
"attr": {
"client": "10.80.41.19:51039",
"mechanism": "MONGODB-X509",
"user": "CN=mongodb.member,OU=OSS,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH",
"db": "$external"
}}However, I get this warning which actually no problem - but it is not true. The client is another mongod repliaset member, thus this warning should not appear:
{"t": {"$date": "2022-06-03T15:57:21.081+02:00" },
"s": "W",
"c": "ACCESS",
"id": 20430,
"ctx": "conn3",
"msg": "Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"
}Anyway, I tried several client certificates, none of them is working:
openssl x509 -in c:\MongoDB\config\mongo.client.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsageissuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-casubject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = ClientAuthentication, CN = adminX509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Client Authenticationopenssl x509 -in mongo.client.pem -noout -subject -nameopt RFC2253subject=CN=admin,OU=ClientAuthentication,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CHdb.getSiblingDB("$external").runCommand({
createUser: "CN=admin,OU=ClientAuthentication,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH",
roles: [{ role: "root", db: "admin" }]
})I cannot use the client certificate, neither for TLS/SSL nor for authentication:
mongosh --norc --quiet "mongodb://localhost:27037/admin?authSource=$external" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer --authenticationMechanism=MONGODB-X509
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27037 closed
mongosh --norc --quiet "mongodb://admin:password@localhost:27037/admin?authSource=admin" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27037 closed
Note, the same works fine on a Standalone MongoDB, it only fails on a cluster/replica set:
mongosh --norc --quiet "mongodb://localhost:27017/admin?authSource=$external" --eval "db.getMongo()" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer --authenticationMechanism=MONGODB-X509
mongodb://localhost:27017/admin?authSource=%24external&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.3.1
mongosh --norc --quiet "mongodb://admin:password@localhost:27017/admin?authSource=admin" --eval "db.getMongo()" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer
mongodb://<credentials>@localhost:27017/admin?authSource=admin&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.3.1
It also works fine if I use a common CA for cluster and client, i.e.
net:port: 27037
bindIpAll: true
tls:mode: preferTLSallowConnectionsWithoutCertificates: true
certificateKeyFile: c:\MongoDB\config\mongo.server.pemCAFile: c:\MongoDB\config\mongo-ca.cerclusterFile: c:\MongoDB\config\mongo.member.pemworks fine. However, I like to have different CA for cluster and client certificates.
Is this a bug or do I anything wrong?
ShowThis is the relevant part of the config file: net: port: 27037 bindIpAll: true tls: mode: preferTLS allowConnectionsWithoutCertificates: true certificateKeyFile: c:\MongoDB\config\mongo.server.pem CAFile: c:\MongoDB\config\mongo-ca.cer clusterFile: c:\MongoDB\config\mongo.member.pem clusterCAFile: c:\MongoDB\config\mongo.member-ca.cer security: clusterAuthMode: x509 authorization: enabled Relevant information of the certificates: openssl x509 -in c:\MongoDB\config\mongo-ca.cer -noout -subject subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-ca openssl x509 -in c:\MongoDB\config\mongo.member-ca.cer -noout -subject subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-ca openssl x509 -in c:\MongoDB\config\mongo.member.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsage issuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-ca subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = mongodb.member, CN = mongodb.member X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication openssl x509 -in c:\MongoDB\config\mongo.server.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsage issuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-ca subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = mongodb.server, CN = mongodb.server X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificates are valid: openssl verify -CAfile mongo.member-ca.cer -verify_name ssl_client mongo.member.pem mongo.member.pem: OK openssl verify -CAfile mongo-ca.cer -verify_name ssl_server mongo.server.pem mongo.server.pem: OK Start Replica Set members. When the second member starts then I get this error on the first one: { "t" : { "$date" : "2022-06-03T15:32:15.267+02:00" }, "s" : "I" , "c" : "ACCESS" , "id" : 20428 , "ctx" : "conn898" , "msg" : "Failed to authenticate" , "attr" : { "client" : "10.80.41.19:64138" , "mechanism" : "MONGODB-X509" , "user" : "CN=mongodb.member,OU=mongodb.member,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH" , "db" : "$external" , "error" : { "code" : 11 , "codeName" : "UserNotFound" , "errmsg" : "Could not find user \"CN=mongodb.member,OU=mongodb.member,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH\" for db \"$external\"" } } } and member remains in SECONDARY state. Apparently the replica set considers the member connection as a normal client connection, which is not the case. (I am not try to connect with any client) I tied with different certificates (matching O and OU): openssl x509 -in c:\MongoDB\config\mongo.member.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsage issuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo.member-ca subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongodb.member X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication openssl x509 -in c:\MongoDB\config\mongo.server.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsage issuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-ca subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongodb.server X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication With these certificates the ReplicaSet starts up as expected: { "t" : { "$date" : "2022-06-03T15:57:21.081+02:00" }, "s" : "I" , "c" : "ACCESS" , "id" : 20429 , "ctx" : "conn3" , "msg" : "Successfully authenticated" , "attr" : { "client" : "10.80.41.19:51039" , "mechanism" : "MONGODB-X509" , "user" : "CN=mongodb.member,OU=OSS,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH" , "db" : "$external" } } However, I get this warning which actually no problem - but it is not true. The client is another mongod repliaset member, thus this warning should not appear: { "t" : { "$date" : "2022-06-03T15:57:21.081+02:00" }, "s" : "W" , "c" : "ACCESS" , "id" : 20430 , "ctx" : "conn3" , "msg" : "Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership" } Anyway, I tried several client certificates, none of them is working: openssl x509 -in c:\MongoDB\config\mongo.client.pem -noout -issuer -subject -ext extendedKeyUsage,keyUsage issuer=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = OSS, CN = mongo-ca subject=C = CH, ST = ZH, L = Zurich, O = Sunrise-UPC, OU = ClientAuthentication, CN = admin X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication openssl x509 -in mongo.client.pem -noout -subject -nameopt RFC2253 subject=CN=admin,OU=ClientAuthentication,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH db.getSiblingDB( "$external" ).runCommand({ createUser: "CN=admin,OU=ClientAuthentication,O=Sunrise-UPC,L=Zurich,ST=ZH,C=CH" , roles: [{ role: "root" , db: "admin" }] }) I cannot use the client certificate, neither for TLS/SSL nor for authentication: mongosh --norc --quiet "mongodb://localhost:27037/admin?authSource=$external" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer --authenticationMechanism=MONGODB-X509 MongoServerSelectionError: connection <monitor> to 127.0 . 0.1 : 27037 closed mongosh --norc --quiet "mongodb://admin:password@localhost:27037/admin?authSource=admin" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer MongoServerSelectionError: connection <monitor> to 127.0 . 0.1 : 27037 closed Note, the same works fine on a Standalone MongoDB, it only fails on a cluster/replica set: mongosh --norc --quiet "mongodb://localhost:27017/admin?authSource=$external" --eval "db.getMongo()" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer --authenticationMechanism=MONGODB-X509 mongodb: //localhost:27017/admin?authSource=%24external&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.3.1 mongosh --norc --quiet "mongodb://admin:password@localhost:27017/admin?authSource=admin" --eval "db.getMongo()" --tls --tlsCertificateKeyFile=mongo.client.pem --tlsCAFile=mongo-ca.cer mongodb: //<credentials>@localhost:27017/admin?authSource=admin&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.3.1 It also works fine if I use a common CA for cluster and client, i.e. net: port: 27037 bindIpAll: true tls: mode: preferTLS allowConnectionsWithoutCertificates: true certificateKeyFile: c:\MongoDB\config\mongo.server.pem CAFile: c:\MongoDB\config\mongo-ca.cer clusterFile: c:\MongoDB\config\mongo.member.pem works fine. However, I like to have different CA for cluster and client certificates. Is this a bug or do I anything wrong?
Description
I am running some tests with TLS/SSL certificates. I like to use client certificates (for TLS/SSL and authentication) in a ReplicaSet / Sharded Cluster.
It works fine when I run it on standalone MongoDB
It works fine when I use a common CA for cluster and client, i.e.
net:
|
port: 27037 |
bindIpAll: true |
tls:
|
mode: preferTLS
|
allowConnectionsWithoutCertificates: true |
certificateKeyFile: c:\MongoDB\config\mongo.server.pem
|
CAFile: c:\MongoDB\config\mongo-ca.cer
|
clusterFile: c:\MongoDB\config\mongo.member.pem
|
|
works fine. However, I like to have different CA for cluster and client certificates.