Hi folks.
The context:
At one point we had a single server with 4.0. We’ve upgraded and now we’ve got a few 3-member replica sets, and I’m in the process of upgrading some from 4.2 to 4.4, and others from 4.4 to 5.0. In the process I slapped together some keyfile authentication for replica sets, and then switched to x509 when I had the time. I’ve got a couple replica sets showing the same behavior, and it’s mystifying me.
The 3-node replica set I’m concerned with is being upgraded from 4.2 to 4.4. It was using keyfile authentication at one point but has been using x509 instead for a while. There are no keyfile entries in the mongod.conf file and no complaints about this in 4.2, the logs show the RS members are authenticating to each other with x509, the db.adminCommand confirms I’ve got tlsMode:preferTLS and clusterAuthMode:sendX509. I’ve used x509 to authenticate as a user. No problems.
The problem:
I upgraded one node from 4.2 to 4.4 and couldn’t bring the server back up, because it was complaining (via journalctl) “BadValue: security.keyFile is required when authorization is enabled with replica sets”. If I slap a keyfile on disk and add an entry to the mongod.conf file, it starts and uses x509 to secure connections to the other RS members.
The keyfile shouldn’t be required if I’m not using keyfile authentication, right? I’m not losing my mind or misreading things? Why is 4.4 insisting I need a keyfile when 4.2 didn’t?