Weird certificate warnings during startup

Ops and Admin Replication
, ,
1

I’ve created self-signed certificates for our 5-member MongoDB 5.0.7 replica set. The replica set works, but we get some warnings to our logs during startup.

Each certificate has a distinct CN=db{nodenum} (eg. CN=db1) set in the certificates subject field, along with shared values for organisation, organisation unit etc.

I’ve also tried setting subject alt names to reflect the same hostnames, eg.

[ v3_req ]
subjectAltName = @alt_names
extendedKeyUsage=serverAuth

[ alt_names ]
DNS.1 = db3 #and db 1,2,4,5 for others

I’ve also tried installing separate certificates to be used as certificateKeyFile and clusterFile (with extendedKeyUsage set appropriately to serverAuth or clientAuth).

Our Mongo config for TLS is:

tls:
    mode: preferTLS
    certificateKeyFile: /etc/ssl/mongodb_server.pem
    clusterFile: /etc/ssl/mongodb_cluster_client.pem
    CAFile: /etc/ssl/ca.pem
    allowConnectionsWithoutCertificates: true
security:
    authorization: enabled
    clusterAuthMode: x509

During startup, our logs get warnings like this:

{"t":{"$date":"2022-04-17T08:39:51.251+02:00"},"s":"W",  "c":"ACCESS",   "id":20430,   "ctx":"conn19","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}
{"t":{"$date":"2022-04-17T08:39:51.216+02:00"},"s":"W",  "c":"ACCESS",   "id":20430,   "ctx":"conn11","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}
{"t":{"$date":"2022-04-17T08:39:51.216+02:00"},"s":"W",  "c":"NETWORK",  "id":23236,   "ctx":"conn11","msg":"Client connecting with server's own TLS certificate"}

I think I have an idea what the logs are trying to tell me, but I don’t agree with them due to facts stated above :sweat_smile:

Any ideas what these are about? Are we supposed to see these messages, meaning I am wasting my time trying to get rid of them, or is there an issue with our certificates or config?

Any help would be very much appreciated :heart:

2

I find MongoDB’s startup sequence fascinating.

Full logs 
{"t":{"$date":"2022-04-17T22:31:42.832+02:00"},"s":"I",  "c":"REPL",     "id":40440,   "ctx":"initandlisten","msg":"Starting the TopologyVersionObserver"}
{"t":{"$date":"2022-04-17T22:31:42.832+02:00"},"s":"I",  "c":"REPL",     "id":40445,   "ctx":"TopologyVersionObserver","msg":"Started TopologyVersionObserver"}
{"t":{"$date":"2022-04-17T22:31:42.833+02:00"},"s":"I",  "c":"NETWORK",  "id":23015,   "ctx":"listener","msg":"Listening on","attr":{"address":"/tmp/mongodb-27017.sock"}}
{"t":{"$date":"2022-04-17T22:31:42.833+02:00"},"s":"I",  "c":"NETWORK",  "id":23015,   "ctx":"listener","msg":"Listening on","attr":{"address":"10.0.1.1"}}
{"t":{"$date":"2022-04-17T22:31:42.833+02:00"},"s":"I",  "c":"NETWORK",  "id":23015,   "ctx":"listener","msg":"Listening on","attr":{"address":"127.0.0.1"}}
{"t":{"$date":"2022-04-17T22:31:42.833+02:00"},"s":"I",  "c":"NETWORK",  "id":23016,   "ctx":"listener","msg":"Waiting for connections","attr":{"port":27017,"ssl":"on"}}
{"t":{"$date":"2022-04-17T22:31:42.833+02:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"10.0.1.1:57554","connectionId":2,"connectionCount":1}}
{"t":{"$date":"2022-04-17T22:31:42.851+02:00"},"s":"W",  "c":"NETWORK",  "id":23236,   "ctx":"conn2","msg":"Client connecting with server's own TLS certificate"}
{"t":{"$date":"2022-04-17T22:31:42.852+02:00"},"s":"I",  "c":"ACCESS",   "id":5286202, "ctx":"conn2","msg":"Different user name was supplied to saslSupportedMechs","attr":{"error":{"code":17,"codeName"
:"ProtocolError","errmsg":"Attempt to switch database target during SASL authentication."}}}
{"t":{"$date":"2022-04-17T22:31:42.852+02:00"},"s":"W",  "c":"ACCESS",   "id":20430,   "ctx":"conn2","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership
"}
{"t":{"$date":"2022-04-17T22:31:42.852+02:00"},"s":"I",  "c":"ACCESS",   "id":20429,   "ctx":"conn2","msg":"Successfully authenticated","attr":{"client":"10.0.1.1:57554","mechanism":"MONGODB-X509","use
r":"CN=db1,OU=MONGO_CLUSTER,O=MY_ORG,L=MY_CITY,ST=MY_STATE,C=MY_COUNTRY","db":"$external"}}
{"t":{"$date":"2022-04-17T22:31:42.853+02:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn2","msg":"Connection ended","attr":{"remote":"10.0.1.1:57554","connectionId":2,"connectionCount":0}}

So, if I’m reading right, when starting up:

  1. db1 (10.0.1.1) connects to… db1!
  2. mongod running on db1 complains that the connection from db1 to db1 was using the server certificate of db1🤔
  3. Weird warning about “Different user name was supplied to saslSupportedMechs”
  4. mongod complaining that the client who just connected isn’t a mongod (it is!), but is using a cluster membership certificate
  5. Great success! Succesfully authenticated using the db1’s certificate