I have a question about TLS configuration on MongoDB 6.0, I have a self signed certificate:
mongodb.pem
, includes private key and public key
mongodb.crt
, includes only public key.
I also have a key store in application (client), which also use the same public key and private key and I want to setup mutual TLS authentication between the client and mongodb server,
In MongoDB 4.2.3, I can start mongodb in below command:
mongod --bind_ip_all --dbpath C:\data\mongodb --wiredTigerCacheSizeGB 1 --tlsMode requireTLS --tlsCertificateKeyFile .\mongodb.pem --tlsCAFile .\mongodb.crt --auth
But in MongoDB 6.0, the above command will cause an error when start:
{"t":{"$date":"2023-10-17T10:54:42.999+08:00"},"s":"I", "c":"NETWORK", "id":4915701, "ctx":"-","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":17},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":17},"outgoing":{"minWireVersion":6,"maxWireVersion":17},"isInternalClient":true}}}
{"t":{"$date":"2023-10-17T10:54:43.154+08:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"thread1","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"CertAddCertificateContextToStore Failed The object or property already exists."}}}
But, if I remove the --tlsCAFile
option, all things looks great:
mongod --bind_ip_all --dbpath C:\data\mongodb --wiredTigerCacheSizeGB 1 --tlsMode requireTLS --tlsCertificateKeyFile .\mongodb.pem --auth
Is this a limitation of using self signed certificate in MongoDB 6.0? Or we should not / no need to specify the tlsCAFile
when using self signed certificate?
Thanks!