I try to deploy a ReplicaSet with MongoDB 8.0 with x.509 certificates for membership Authentication using new parameter net.tls.clusterAuthX509.attributes, see Use X.509 Certificates for Membership Authentication with Self-Managed MongoDB
By default, O, OU, DC of the member certificate must be the same as in the server certificate. Parameter net.tls.clusterAuthX509 allows you to use different O, OU, DC in member certificate, that’s what I try to do. But I fail to setup my ReplicaSet.
Here is my config:
Server Certificate mongo.server.pem:
openssl x509 -in mongo.server.pem -noout -nameopt RFC2253 -subject -issuer
subject=CN=server,OU=MongoDB,O=Sunrise,C=CH
issuer=CN=Issuing CA,OU=OSS,O=Sunrise,C=CH
Member Certificate mongo.member.pem:
openssl x509 -in mongo.member.pem -noout -nameopt RFC2253 -subject -issuer
subject=CN=member,OU=differnet,O=Sunrise,C=CH
issuer=CN=Issuing CA,OU=OSS,O=Sunrise,C=CH
Configuration File (relevant part):
net:
port: 27037
tls:
mode: preferTLS
certificateKeyFile: mongo.server.pem
clusterFile: mongo.member.pem
CAFile: mongo-ca.cer
clusterAuthX509:
attributes: CN=member,OU=differnet,O=Sunrise,C=CH
security:
clusterAuthMode: x509
authorization: enabled
The mongod process starts without any error, but I cannot initialize the ReplicaSet:
mongosh "mongodb://localhost:27037/admin"
Connecting to: mongodb://localhost:27037/admin?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.1
Using MongoDB: 8.0.4
Using Mongosh: 2.5.1
admin> rs.initiate({
_id: "repSet",
members: [
{ _id: 0, host: "localhost:27037", priority: 10 },
{ _id: 1, host: "localhost:27137", priority: 5 }
]
});
Uncaught:
MongoServerError[NodeNotFound]: replSetInitiate quorum check failed because not all proposed set members responded affirmatively: localhost:27137 failed with Could not find user "CN=member,OU=differnet,O=Sunrise,C=CH" for db "$external"
at Connection.sendCommand (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3274206)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Connection.command (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3274894)
at async Server.command (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3528312)
at async RunCommandOperation.execute (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3498724)
at async topology (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3477731)
at async t.executeOperation (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3476207)
at async Db.command (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:3:3376618)
at async NodeDriverServiceProvider.runCommandWithCheck (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:214:214926)
at async t.initiate (eval at module.exports (node:lib-boxednode/mongosh:103:20), <anonymous>:214:346191)
admin>
Any suggestions why it fails?