Hi all, I’m new in this community, i hope I created this topic in the right category.
I recently needed to deploy a 3-nodes ReplicaSet and my configuration file is something like this:
systemLog:
[...]
net:
port: XXXXX
bindIp: XXXXX
tls:
mode: requireTLS
certificateKeyFile: /mongo/tls/mongo01.pem
CAFile: /mongo/tls/ca.pem
allowConnectionsWithoutCertificates: true
disabledProtocols: TLS1_0,TLS1_1
replication:
[...]
security:
authorization: enabled
keyFile: /mongo/tls/member.key
authenticationMechanisms: [SCRAM-SHA-1,SCRAM-SHA-256]
clusterAuthMode: keyFile
storage:
[...]
processManagement:
[...]
I have also created a mongo0X.pem file for every server, as you can notice in the certificateKeyFile flag, every signed by the same internal root CA (ca.pem file).
When I try to start my mongod instances, despite the presence of ‘clusterAuthMode: keyFile’ (that I supposed it should force in some way the usage of the keyfile ONLY), the servers still check each other’s certificate (that i only want to be used by clients to verify the servers’ identities).
This procedure fails because i did not insert the ‘TLS Web Client Authentication’ setting in the certificate itself (returning a SSL invalid certificate purpose).
So my question is, why does MongoDB tries to validate the “between servers” certificates even though I told him not to?
What am I doing wrong/misunderstanding?
Any help is appreciated. 