Testting migration with mongomirror across DC with test CA PEM setup

Christopher_Simpson · April 27, 2022, 11:37pm

Hi, troubelshooting a migration test using mongomirror but misunderstanding the keystore requirements (rhel/centos)

I’ve generated a test authority as per: https://www.mongodb.com/docs/manual/appendix/security/appendixA-openssl-ca/

SSL has been configured at each destination host, and
connections are being opened OK, (using mode allowSSL)

however for all destination nodes mongomirror is reporting

x509: certificate signed by unknown authority

detail

Error initializing mongomirror: could not initialize destination connection: could not connect to server: server selection error: server selection timeout, current topology: { Type: ReplicaSetNoPrimary, Servers: [{ Addr: <ip>:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authoritycertificate "TestCertificateOrgName") }, { Addr: <ip>:27017, Type: Unknown, Last error: connection() error occured during connection handshake: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "TestCertificateOrgName") },

Because tls connections are forming OK (mongod is reading and presenting PEMKeyFile and CAFile , however, is appears that mongomirror is not reading these. What I’m looking for (I think) is to be able to specify the keys as args for the destination nodes.

I appreciate this is partly due to not sending to mongo atlas however we do want to run this scenario where the destination is tls/ssl authenticated when using mongomirror

(related subcomment: mongodb - Mongomirror from atlas to local replica setup - Stack Overflow )

Christopher_Simpson · April 28, 2022, 12:21am

To add more detail. mongod is ok using the certs, however mongomirror appears to not honor the --sslAllowInvalidCertificates flag:

./mongomirror --host rs01/<ip>:<port>,... \
> --username root \
> --password secret \
> --destination rsx/<ip>:<port>,... \
> --destinationUsername root \
> --destinationPassword secret \
> --destinationAuthenticationDatabase admin \
> --authenticationDatabase admin \
> --sslAllowInvalidHostnames \
> --sslAllowInvalidCertificates \
> --tlsInsecure

tail -f 'ing mongod.log on one of the destination hosts, we can see that tls connections
are in fact OK, and mongod is honoring the ssl mode allowSSL :

I NETWORK  [conn1078] end connection <ip>:<port> (2 connections now open)
I NETWORK  [listener] connection accepted from <ip>:<port> #1079 (3 connections now open)
I NETWORK  [conn1079] end connection <ip>:<port> (2 connections now open)
I NETWORK  [listener] connection accepted from <ip>:<port> #1080 (3 connections now open)
I NETWORK  [listener] connection accepted from <ip>:<port> #1081 (4 connections now open)

However even though mongod is ok, mongomirror is not honoring the sslAllowInvalidCertificates flag causing it to refuse to continue

Type: Unknown, Last error: connection() error occured during connection handshake: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate