Cannot connect to MongoDB wit TLS (x509)

Hi,
I’m testing MongoDB with TLS, and can connect from Mongo Compass, but cannot from code (golang). It shown an error as below:

uri mongodb://192.168.1.70,192.168.1.75,192.168.1.72:27017/?ssl=true&tlsCAFile=./mongoCA.crt&tlsCertificateKeyFile=./vps1.pem&tlsCertificateKeyFilePassword=12344321

Ping error server selection error: server selection timeout, current topology: { Type: ReplicaSetNoPrimary, Servers: [{ Addr: 192.168.1.70:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: cannot validate certificate for 192.168.1.70 because it doesn't contain any IP SANs }, { Addr: 192.168.1.75:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: cannot validate certificate for 192.168.1.75 because it doesn't contain any IP SANs }, { Addr: 192.168.1.72:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: cannot validate certificate for 192.168.1.72 because it doesn't contain any IP SANs }, ] }

this is my mongod.conf

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: preferTLS
    certificateKeyFile: /home/vps1/x509/vps1.pem
    CAFile: /home/vps1/x509/mongoCA.crt
    clusterFile: /home/vps1/x509/vps1.pem
    certificateKeyFilePassword: 12344321
    clusterPassword: 12344321
security:
  authorization: enabled
  clusterAuthMode: x509

I searched for answers but found no result about Mongo. Can anyone help me to solve this problem?

Use port number for all IP’s
Usually Certificate generated with hostname but you are using IP address
Is hostname/IP matching in Client and Server Certs
Did you try with hostname?
Also For x509 authentication mode should be requireTLS

Thank for you reply!

I changed connection string to this

mongodb://vps1:27017,vps2:27017,vps3:27017/?ssl=true&tlsCAFile=./mongoCA.crt&tlsCertificateKeyFile=./Nam-PC.pem&tlsCertificateKeyFilePassword=12344321

and meet this error

// ...
Addr: vps1:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: certificate relies on legacy Common Name field, use SANs instead

if use ip

// ...
x509: cannot validate certificate for 192.168.1.75 because it doesn't contain any IP SANs

Additional information:

replica set members (using Oracle VM virtualbox) have common name

vps1, vps2, vps3

cat /etc/hosts

192.168.1.70 vps1
192.168.1.75 vps2
192.168.1.72 vps3

openssl x509 -in mongoCA.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:ce:59:24:a0:c8:cf:dc:b1:9f:ce:f3:fc:e8:27:98:46:ff:a9:44
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = VN, ST = DN, L = DN, O = DZ, OU = Tech, CN = mongo, emailAddress = nam@gmail.com
        Validity
            Not Before: Feb 22 03:12:48 2022 GMT
            Not After : Nov 18 03:12:48 2024 GMT
        Subject: C = VN, ST = DN, L = DN, O = DZ, OU = Tech, CN = mongo, emailAddress = nam@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (8192 bit)
                Modulus:
                    00:d2:a2:52:c1:e9:8e:a7:2c:ae:d5:22:3a:59:24:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                04:11:95:DC:A1:92:D5:3F:CC:28:F2:8D:A8:CD:81:5D:4F:85:75:A2
            X509v3 Authority Key Identifier: 
                keyid:04:11:95:DC:A1:92:D5:3F:CC:28:F2:8D:A8:CD:81:5D:4F:85:75:A2

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:vps1, DNS:vps2, DNS:vps3, IP Address:192.168.1.70, IP Address:192.168.1.75, IP Address:192.168.1.72, IP Address:192.168.1.137
    Signature Algorithm: sha256WithRSAEncryption
         7a:93:7e:eb:bf:62:2f:82:11:03:ad:c7:f5:ed:91:c8:18:8b:
         ...

I know keyfile is not best practice for production, but maybe I will switch to it, because I really don’t know how to fix this.