<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:24:30 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-10962] Add support for online (SSL/X.509) server cert. replacement</title>
                <link>https://jira.mongodb.org/browse/SERVER-10962</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Users will want to upgrade server certs without downtime, or restarts.&lt;/p&gt;</description>
                <environment></environment>
        <key id="92101">SERVER-10962</key>
            <summary>Add support for online (SSL/X.509) server cert. replacement</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="backlog-server-security">Backlog - Security Team</assignee>
                                    <reporter username="scotthernandez">Scott Hernandez</reporter>
                        <labels>
                            <label>former-quick-wins</label>
                    </labels>
                <created>Mon, 30 Sep 2013 17:49:57 +0000</created>
                <updated>Tue, 6 Dec 2022 05:16:55 +0000</updated>
                            <resolved>Thu, 20 Aug 2020 20:39:12 +0000</resolved>
                                                    <fixVersion>4.7.0</fixVersion>
                                    <component>Security</component>
                                        <votes>12</votes>
                                    <watches>30</watches>
                                                                                                                <comments>
                            <comment id="3672651" author="thomas.schubert" created="Fri, 19 Mar 2021 02:30:32 +0000"  >&lt;p&gt;Hey &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=ian.springer%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;ian.springer@gmail.com&quot;&gt;ian.springer@gmail.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;It&apos;ll still be in our next our next LTS release (e.g. what previously might have been referred to as 4.6.0), please take a look at &lt;a href=&quot;https://www.mongodb.com/blog/post/new-quarterly-releases-starting-with-mongodb-5-0&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.mongodb.com/blog/post/new-quarterly-releases-starting-with-mongodb-5-0&lt;/a&gt; for more details.&lt;/p&gt;

&lt;p&gt;Best,&lt;br/&gt;
Kelsey&lt;/p&gt;</comment>
                            <comment id="3672577" author="ian.springer@gmail.com" created="Fri, 19 Mar 2021 00:38:21 +0000"  >&lt;p&gt;The fix version on &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-49116&quot; title=&quot;Implement Rotate Command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-49116&quot;&gt;&lt;del&gt;SERVER-49116&lt;/del&gt;&lt;/a&gt; is 4.7.0. Did it get pushed from 4.6 to 4.8?&lt;/p&gt;</comment>
                            <comment id="3349878" author="mark.benvenuto" created="Thu, 20 Aug 2020 20:39:12 +0000"  >&lt;p&gt;We added support for a new command rotateCertificates to rotate certificates on the server side as part of &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-49116&quot; title=&quot;Implement Rotate Command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-49116&quot;&gt;&lt;del&gt;SERVER-49116&lt;/del&gt;&lt;/a&gt;. It will ship in 4.5.1.&lt;/p&gt;</comment>
                            <comment id="2031185" author="vaibhaw" created="Fri, 12 Oct 2018 13:27:07 +0000"  >&lt;p&gt;Hello &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=matt.lord&quot; class=&quot;user-hover&quot; rel=&quot;matt.lord&quot;&gt;matt.lord&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Thank you for your thought out response! &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;


&lt;p&gt;You are right in pointing out that no other databases supports online cert replacement and it is a rather hairy thing to get right. I just wanted to understand how you folks view this issue and intend to solve it.&lt;/p&gt;

&lt;p&gt;A rolling sort of a solution sounds like a fair one, much like the current way we move from non-SSL to completely SSL deployments. Just that this operation will need to run frequently. Since it wouldn&apos;t be possible to offer the new cert to just one node and let it percolate it to others - what will be desirable is a well documented process to performing such a certificate replacement.&lt;/p&gt;

&lt;p&gt;Again, I just wanted to understand if this usecase was on your radar and how were you approaching it. Thanks for explaining that Matt. &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;</comment>
                            <comment id="2028274" author="matt.lord" created="Tue, 9 Oct 2018 19:24:43 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=vaibhaw&quot; class=&quot;user-hover&quot; rel=&quot;vaibhaw&quot;&gt;vaibhaw&lt;/a&gt;,&#160;&lt;/p&gt;

&lt;p&gt;That is actually one of the use cases that we have in mind. We have several related projects on our plan now (disclaimer that we cannot make forward looking projections on dates or versions for future work):&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Drastically improve the election handoff time when doing a replSetStepDown (this work is already in 4.1.3+)&lt;/li&gt;
	&lt;li&gt;Support TLS cert replacement via a cluster rolling restart (rather than having to take down the entire cluster and re-bootstrap)&lt;/li&gt;
	&lt;li&gt;Work with the goal of incurring no downtime from planned maintenance&#160;&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;So you would then be able to replace the cert on each of the Secondaries one at a time via a restart of the process. And then finally replace it on the Primary via a replSetStepDown and restart of the process. All w/o incurring application downtime (although there would be some connection errors, but that would happen either way&#8211;see below).&#160;&lt;/p&gt;

&lt;p&gt;To the best of my knowledge no other databases support online cert replacement, and this is because to do that would require you to drain all open connections while blocking new ones, once connection count is at 0, then create a new security context with the new cert, and finally allow new connections again. So in the end it&apos;s often worse than simply restarting the process&#8211;all while requiring a lot of engineering effort that could instead be put towards things that otherwise cannot be solved. And a side benefit of a process restart is that you also have the opportunity to periodically install the latest patch release (e.g. 4.0.3) which is important in and of itself.&#160;&lt;/p&gt;

&lt;p&gt;If you have any additional input or ideas though, I&apos;d love to discuss it.&lt;/p&gt;

&lt;p&gt;Thanks!&lt;/p&gt;

&lt;p&gt;Matt&lt;/p&gt;</comment>
                            <comment id="2025757" author="vaibhaw" created="Sat, 6 Oct 2018 03:45:21 +0000"  >&lt;p&gt;There is now an somewhat important (IMO) usecase - supporting Let&apos;s Encrypt (LE) signed certificates with MongoDB. LE is fast becoming the simplest (and cheapest) way to get proper signed certificates. However their short validity (90 days, see &lt;a href=&quot;https://letsencrypt.org/2015/11/09/why-90-days.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://letsencrypt.org/2015/11/09/why-90-days.html&lt;/a&gt;) is serious issue in adopting them for database servers. &lt;/p&gt;

&lt;p&gt;Can you please consider targeting it to a release?&lt;/p&gt;</comment>
                            <comment id="1704474" author="bvarga@opswat.com" created="Fri, 20 Oct 2017 06:05:42 +0000"  >&lt;p&gt;Hello Support team,&lt;br/&gt;
Any news related to this problem ? &lt;br/&gt;
Thanks&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="195614">SERVER-18008</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="614718">SERVER-37494</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[500A000000bBheqIAC, 5002K00000dVslOQAS, 5002K00000dHNhsQAG, 5002K00000gloOUQAY, 5002K00000hPslZQAS, 5002K00000iMuSnQAK, 5002K00000s2PWXQA2]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 30 Sep 2013 18:14:35 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 46 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-1291</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>alexander.golin@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 46 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>backlog-server-security</customfieldvalue>
            <customfieldvalue>bvarga@opswat.com</customfieldvalue>
            <customfieldvalue>ian.springer@gmail.com</customfieldvalue>
            <customfieldvalue>kelsey.schubert@mongodb.com</customfieldvalue>
            <customfieldvalue>mark.benvenuto@mongodb.com</customfieldvalue>
            <customfieldvalue>matt.lord</customfieldvalue>
            <customfieldvalue>scotthernandez</customfieldvalue>
            <customfieldvalue>vaibhaw</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrj1of:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr8e6v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5088</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrir9b:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>