Let's Encrypt certificate for internal membership authentication

Alexey_Roshka · October 29, 2020, 12:10pm

Hello,

I’m trying to setup x509 Cluster Authentication using Let’s encrypt certificate.
But getting the following error:

2020-10-29T09:29:40.764+0000 I REPL_HB [replexec-1] Error in heartbeat (requestId: 555) to “hostname”:27017, response status: Unauthorized: not authorized on admin to execute command { replSetHeartbeat: “repl-01”, configVersion: 1, hbv: 1, from: “hostname:27017”, fromId: 0, term: 27, $replData: 1, $clusterTime: { clusterTime: Timestamp(1603880275, 1), signature: { hash: BinData(0, 6775444445555FB8F9AEC2FE5566A791EAD5C1824), keyId: 6886403334444455553 } }, $db: “admin” }

This certificate is working fine for the client authentication, but not for internal membership authentication.

Configuration:

net:
  port: 27017
  bindIp: 127.0.0.1,10.0.0.4

  ssl:
      mode: requireSSL
      CAFile: /etc/ssl/ca.pem
      PEMKeyFile: /etc/ssl/mongodb.pem
      clusterCAFile: /etc/ssl/ca.pem
      clusterFile: /etc/ssl/mongodb.pem
	  allowConnectionsWithoutCertificates: true

  security:
     clusterAuthMode: x509

Output from MongDB admin db:

db.serverStatus().security
{
        "SSLServerSubjectName" : "CN=hostname",
        "SSLServerHasCertificateAuthority" : true,
        "SSLServerCertificateExpirationDate" : ISODate("2021-01-24T10:37:32Z")
}

I know, that clusterCAFile and clusterFile are overhead parameters in case if already used CAFile, PEMKeyFile, but just in case tried put them also.

The internal authentication works using keyFile.

Also it works with cert signed by self-signed CA, but not with Let’s Encrypt certificate.
Is it something like limitation for using Let’s Encrypt certificate for internal authentication?

Version of MongoDB 3.6

Much appreciate for any help.

Naomi_Pentrel · October 29, 2020, 1:54pm

It’s hard to debug this remotely. Maybe someone else will still chime in and provide more useful help but if not you may find it useful to check out the M310 course on MongoDB university. It takes you through all the steps to set x509 and keyfile authentication up correctly in the first Chapter.

Alexey_Roshka · November 9, 2020, 9:48pm

From this article

the requirements for the certificate for internal authentication are the following:

The Distinguished Name (DN), found in the member certificate’s subject, must specify a non-empty value for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

But in Let’s Encrypt certificate the Subject only contains domain name like this: CN = mongo-cl-01.example.com
I’m right in my assumption, that the issue can be, that there is no OU, O or DC in the Subject of Let’s Encrypt certificate ?

Nam_Le · May 26, 2021, 9:48am

I’m facing the same problem as you. Did you find a way to solve it?