Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2996

Mongodump/mongorestore: “tls: private key does not match public key”

    XMLWordPrintable

Details

    Description

      Problem Statement/Rationale

      I have a secured sharded cluster. I am calling mongodump/mongorestore on a mongos instance. The program answers that private key does not match public key, which is false. I know it because i use the same keys to connect to mongodb using nodejs driver, mongosh, and compass.

      Steps to Reproduce

      - This is my mongos.conf:

       

      # ***** mongos.conf for mongos node *****
      # for documentation of all options, see:
      #   http://docs.mongodb.org/manual/reference/configuration-options/
      # ***************************************
      # + db node name: "node-mongos-mongos1"
      # + creation date: "Sun 05 Dec 2021 08:26:48 AM UTC"
      # ***************************************
       
      # logging
      systemLog:
          destination: file
          logAppend: true
          path: /player22/db/nodes/node-mongos-mongos1/log/mongos.log
       
      # network interface
      net:
          port: 28000
          bindIpAll: true
       
      # how the process runs
      processManagement:
          timeZoneInfo: /usr/share/zoneinfo
       
      # authentication
      security:
          keyFile: /player22/db/shared/config/mongodb.key
       
      # sharding
      sharding:
          configDB: rscfgsvr1/linode1.player22.com:28001
       
      # profiling
      operationProfiling:
          # the slow operation time threshold, in milliseconds. Operations that run for longer than this threshold are considered slow.
          slowOpThresholdMs: 100
          # the fraction of slow operations that should be profiled or logged. operationProfiling.slowOpSampleRate accepts values between 0 and 1, inclusive.
          slowOpSampleRate: 1
       
      # ssl
      net:
         tls:
            mode: requireTLS
            certificateKeyFile: /player22/shared/ssl/cert-plus-key-decrypted.pem # ssl enabled between server nodes
            CAFile: /player22/shared/ssl/ca.pem # server also requires certificate from client
      

      • This is an example of mongorestore command that produces the error about key mismatch:

       

       

      mongorestore --username="restoreUser" --password="<hidden>" --drop --preserveUUID --maintainInsertionOrder --stopOnError --uri="mongodb://linode1.player22.com:28000" --ssl --sslPEMKeyFile="/player22/shared/ssl/cert-plus-key-decrypted.pem" --sslCAFile="/player22/shared/ssl/ca.pem" --authenticationDatabase="admin" --gzip --archive="toto.gz" --verbose
      

       

      Expected Results

      Not this error, and a normal connection instead.

      Actual Results

      Error:  “tls: private key does not match public key”

      Additional Notes

      These are 2 links of reports of almost the same issue:

      link1

      link2

      The second link suggests it could be related to letsencrypt. I am using letsencrypt too.

      I am running mongodb and tools on debian 10.

      I have installed the latest version of everything.

      My keys are good because I am using them for other mongodb clients and it works.

      I have also double-checked my keys using open ssl. As you can see, there is no mismatch between the public and the private key:

      root@localhost:~# openssl x509 -noout -modulus -in /player22/shared/ssl/cert.pem | openssl md5
      (stdin)= 460774f2783e7bf9d3eba3e20bfc40ce
      root@localhost:~# openssl rsa -noout -modulus -in /player22/shared/ssl/key-decrypted.pem | openssl md5
      (stdin)= 460774f2783e7bf9d3eba3e20bfc40ce
      root@localhost:~# openssl x509 -noout -modulus -in /player22/shared/ssl/cert-plus-key-decrypted.pem | openssl md5
      (stdin)= 460774f2783e7bf9d3eba3e20bfc40ce
      

      Attachments

        Issue Links

          Activity

            People

              tim.fogarty@mongodb.com Tim Fogarty
              bonjourjoel@gmail.com Joel J
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: