I’ve created self-signed certificates for our 5-member MongoDB 5.0.7 replica set. The replica set works, but we get some warnings to our logs during startup.
Each certificate has a distinct CN=db{nodenum}
(eg. CN=db1
) set in the certificates subject field, along with shared values for organisation, organisation unit etc.
I’ve also tried setting subject alt names to reflect the same hostnames, eg.
[ v3_req ]
subjectAltName = @alt_names
extendedKeyUsage=serverAuth
[ alt_names ]
DNS.1 = db3 #and db 1,2,4,5 for others
I’ve also tried installing separate certificates to be used as certificateKeyFile
and clusterFile
(with extendedKeyUsage
set appropriately to serverAuth
or clientAuth
).
Our Mongo config for TLS is:
tls:
mode: preferTLS
certificateKeyFile: /etc/ssl/mongodb_server.pem
clusterFile: /etc/ssl/mongodb_cluster_client.pem
CAFile: /etc/ssl/ca.pem
allowConnectionsWithoutCertificates: true
security:
authorization: enabled
clusterAuthMode: x509
During startup, our logs get warnings like this:
{"t":{"$date":"2022-04-17T08:39:51.251+02:00"},"s":"W", "c":"ACCESS", "id":20430, "ctx":"conn19","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}
{"t":{"$date":"2022-04-17T08:39:51.216+02:00"},"s":"W", "c":"ACCESS", "id":20430, "ctx":"conn11","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}
{"t":{"$date":"2022-04-17T08:39:51.216+02:00"},"s":"W", "c":"NETWORK", "id":23236, "ctx":"conn11","msg":"Client connecting with server's own TLS certificate"}
I think I have an idea what the logs are trying to tell me, but I don’t agree with them due to facts stated above
Any ideas what these are about? Are we supposed to see these messages, meaning I am wasting my time trying to get rid of them, or is there an issue with our certificates or config?
Any help would be very much appreciated