4.2 -> 4.4, now getting keyfile error?

Hi folks.

The context:
At one point we had a single server with 4.0. We’ve upgraded and now we’ve got a few 3-member replica sets, and I’m in the process of upgrading some from 4.2 to 4.4, and others from 4.4 to 5.0. In the process I slapped together some keyfile authentication for replica sets, and then switched to x509 when I had the time. I’ve got a couple replica sets showing the same behavior, and it’s mystifying me.

The 3-node replica set I’m concerned with is being upgraded from 4.2 to 4.4. It was using keyfile authentication at one point but has been using x509 instead for a while. There are no keyfile entries in the mongod.conf file and no complaints about this in 4.2, the logs show the RS members are authenticating to each other with x509, the db.adminCommand confirms I’ve got tlsMode:preferTLS and clusterAuthMode:sendX509. I’ve used x509 to authenticate as a user. No problems.

The problem:
I upgraded one node from 4.2 to 4.4 and couldn’t bring the server back up, because it was complaining (via journalctl) “BadValue: security.keyFile is required when authorization is enabled with replica sets”. If I slap a keyfile on disk and add an entry to the mongod.conf file, it starts and uses x509 to secure connections to the other RS members.

The keyfile shouldn’t be required if I’m not using keyfile authentication, right? I’m not losing my mind or misreading things? Why is 4.4 insisting I need a keyfile when 4.2 didn’t?

As per upgrade doc step4

Update the net.tls.mode to requireTLS and security.clusterAuthMode to x509 .

Optional but recommended. Update all nodes to use only TLS/SSL connections and only x.509 certificate for membership authentication

The specific mistake I made was setting clusterAuthMode to “sendX509” instead of “x509”. Once I reread the documentation of the update from keyfile to x509 authentication I realized I’d skipped that step. Ramachandra_Tummala is entirely correct.

I make this explicit point for anyone who comes after me; sendX509 will raise missing keyfile errors. x509 will not.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.