Hello,
I’m trying to setup x509 Cluster Authentication using Let’s encrypt certificate.
But getting the following error:
2020-10-29T09:29:40.764+0000 I REPL_HB [replexec-1] Error in heartbeat (requestId: 555) to “hostname”:27017, response status: Unauthorized: not authorized on admin to execute command { replSetHeartbeat: “repl-01”, configVersion: 1, hbv: 1, from: “hostname:27017”, fromId: 0, term: 27, $replData: 1, $clusterTime: { clusterTime: Timestamp(1603880275, 1), signature: { hash: BinData(0, 6775444445555FB8F9AEC2FE5566A791EAD5C1824), keyId: 6886403334444455553 } }, $db: “admin” }
This certificate is working fine for the client authentication, but not for internal membership authentication.
Configuration:
net:
port: 27017
bindIp: 127.0.0.1,10.0.0.4
ssl:
mode: requireSSL
CAFile: /etc/ssl/ca.pem
PEMKeyFile: /etc/ssl/mongodb.pem
clusterCAFile: /etc/ssl/ca.pem
clusterFile: /etc/ssl/mongodb.pem
allowConnectionsWithoutCertificates: true
security:
clusterAuthMode: x509
Output from MongDB admin db:
db.serverStatus().security
{
"SSLServerSubjectName" : "CN=hostname",
"SSLServerHasCertificateAuthority" : true,
"SSLServerCertificateExpirationDate" : ISODate("2021-01-24T10:37:32Z")
}
I know, that clusterCAFile and clusterFile are overhead parameters in case if already used CAFile, PEMKeyFile, but just in case tried put them also.
The internal authentication works using keyFile.
Also it works with cert signed by self-signed CA, but not with Let’s Encrypt certificate.
Is it something like limitation for using Let’s Encrypt certificate for internal authentication?
Version of MongoDB 3.6
Much appreciate for any help.