[SERVER-36459] --keyFile now required to start shard servers with TLS and auth Created: 06/Aug/18  Updated: 27/Oct/23  Resolved: 06/Aug/18

Status: Closed
Project: Core Server
Component/s: Sharding
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: Nick Brewer
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongo_c_driver_code_coverage_ubuntu_test_coverage_latest_sharded_auth_openssl_patch_ea29177af4d347616b2213016dac59c59e2b0eb7_5b66cff22fbabe1abc9a4f61_18_08_05_10_22_42-0-mongodb-logs.tar.gz    
Issue Links:
Problem/Incident
causes CDRIVER-2783 test-valgrind-latest-sharded-auth-ope... Closed
Operating System: ALL
Participants:

 Description   

In the last week or two, the C Driver's mongo-orchestration config files for starting a sharded cluster with TLS and auth have stopped working intermittently with the latest MongoDB server build. Shard servers now log this, and the cluster fails to initialize:

2018-08-01T22:40:39.605+0000 I NETWORK  [listener] connection accepted from 127.0.0.1:57142 #75 (6 connections now open)
2018-08-01T22:40:39.609+0000 W NETWORK  [conn75] SSL peer certificate validation failed: unsupported certificate purpose
2018-08-01T22:40:39.609+0000 I NETWORK  [conn75] received client metadata from 127.0.0.1:57142 conn75: { driver: { name: "MongoDB Internal Client", version: "4.1.1-175-g075d7fe" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "14.04" } }
2018-08-01T22:40:39.610+0000 I ACCESS   [conn75] SASL SCRAM-SHA-1 authentication failed for __system on local from client 127.0.0.1:57142 ; AuthenticationFailed: It is not possible to authenticate as the __system user on servers started without a --keyFile parameter
2018-08-01T22:40:39.610+0000 I NETWORK  [conn75] end connection 127.0.0.1:57142 (5 connections now open)

The C Driver's current configuration looks like this:

https://github.com/mongodb/mongo-c-driver/blob/2f3878954915baf0c07b2e5d8a6e81964ca76e6c/orchestration_configs/sharded_clusters/auth-ssl.json

Mongo orchestration starts two members per replica set for the shards, and it does not pass --keyFile to the shard servers. I've filed this as a possible mongo orchestration bug:

https://github.com/10gen/mongo-orchestration/issues/251

I'm nevertheless filing this as a SERVER bug because the server used to work with this configuration. Either --keyFile has unintentionally become a requirement, or it's intentional and it needs to be documented.


Generated at Thu Feb 08 04:43:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.