Let's Encrypt certificate for internal membership authentication


I’m trying to setup x509 Cluster Authentication using Let’s encrypt certificate.
But getting the following error:

2020-10-29T09:29:40.764+0000 I REPL_HB [replexec-1] Error in heartbeat (requestId: 555) to “hostname”:27017, response status: Unauthorized: not authorized on admin to execute command { replSetHeartbeat: “repl-01”, configVersion: 1, hbv: 1, from: “hostname:27017”, fromId: 0, term: 27, $replData: 1, $clusterTime: { clusterTime: Timestamp(1603880275, 1), signature: { hash: BinData(0, 6775444445555FB8F9AEC2FE5566A791EAD5C1824), keyId: 6886403334444455553 } }, $db: “admin” }

This certificate is working fine for the client authentication, but not for internal membership authentication.


  port: 27017

      mode: requireSSL
      CAFile: /etc/ssl/ca.pem
      PEMKeyFile: /etc/ssl/mongodb.pem
      clusterCAFile: /etc/ssl/ca.pem
      clusterFile: /etc/ssl/mongodb.pem
	  allowConnectionsWithoutCertificates: true

     clusterAuthMode: x509

Output from MongDB admin db:

        "SSLServerSubjectName" : "CN=hostname",
        "SSLServerHasCertificateAuthority" : true,
        "SSLServerCertificateExpirationDate" : ISODate("2021-01-24T10:37:32Z")

I know, that clusterCAFile and clusterFile are overhead parameters in case if already used CAFile, PEMKeyFile, but just in case tried put them also.

The internal authentication works using keyFile.

Also it works with cert signed by self-signed CA, but not with Let’s Encrypt certificate.
Is it something like limitation for using Let’s Encrypt certificate for internal authentication?

Version of MongoDB 3.6

Much appreciate for any help.

It’s hard to debug this remotely. Maybe someone else will still chime in and provide more useful help but if not you may find it useful to check out the M310 course on MongoDB university. It takes you through all the steps to set x509 and keyfile authentication up correctly in the first Chapter.

From this article

the requirements for the certificate for internal authentication are the following:

The Distinguished Name (DN), found in the member certificate’s subject, must specify a non-empty value for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

But in Let’s Encrypt certificate the Subject only contains domain name like this: CN = mongo-cl-01.example.com
I’m right in my assumption, that the issue can be, that there is no OU, O or DC in the Subject of Let’s Encrypt certificate ?

I’m facing the same problem as you. Did you find a way to solve it?