Metadata
Versions:
Ubuntu focal
MongoDB 5.0.14
mongod started with args:
/usr/bin/mongod --bind_ip_all --replSet=mongodb --auth --tlsCAFile=/etc/mongodb/external-ca.crt --tlsCertificateKeyFile=/etc/mongodb/external-cert.pem --tlsMode=preferTLS --clusterAuthMode=x509 --tlsAllowInvalidCertificates --tlsClusterCAFile=/etc/mongodb/internal-ca.crt --tlsClusterFile=/etc/mongodb/internal-cert.pem
Problem
Problem: Cannot connect to replica set with TLS enabled via mongosh
I have TLS enabled on a replica set with two hosts. When I try:
sudo mongosh 'mongodb://<username>:<password>@<my ip>/admin?replicaSet=mongodb' --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem
I get:
MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list:
My logs show that this IP is in "certificateNames"
:
{"t":{"$date":"2022-12-07T09:05:19.935Z"},"s":"E", "c":"NETWORK", "id":23257, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"The server certificate does not match the remote host name","attr":{"remoteHost":"juju-29df15-1","certificateNames":"SAN(s): mongodb-0, juju-29df15-1.lxd, mongodb-0.mongodb-endpoints, <my-ip>, CN: <my-ip>"}}
What else I tried
if I use mongo
instead of mongosh
:
sudo mongo 'mongodb://admin:[email protected]/admin?replicaSet=mongodb' --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem
this appears to connect after logging some messages, specifically:
connecting to: mongodb://10.23.62.38:27017/admin?compressors=disabled&gssapiServiceName=mongodb&replicaSet=mongodb
{"t":{"$date":"2022-12-07T09:21:01.646Z"},"s":"W", "c":"NETWORK", "id":23237, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.652Z"},"s":"W", "c":"NETWORK", "id":23237, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.654Z"},"s":"W", "c":"NETWORK", "id":23237, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.662Z"},"s":"W", "c":"NETWORK", "id":23237, "ctx":"js","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.664Z"},"s":"W", "c":"NETWORK", "id":23237, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
Implicit session: session { "id" : UUID("97e7e144-1bd7-4a94-b33d-958da2507bec") }
MongoDB server version: 5.0.14
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
---
The server generated these startup warnings when booting:
2022-12-06T16:56:40.822+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
2022-12-06T16:56:42.686+00:00: While invalid X509 certificates may be used to connect to this server, they will not be considered permissible for authentication
---
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
mongodb:PRIMARY>
And then I can execute commands in this shell (yay).
Questions
So I have two questions:
- why can I connect with
mongo
but not withmongosh
- why am I getting the error
MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list:
if I can see<my-ip>
in"certificateNames"
?
2
Answers
I have no answer for
1. why can I connect with mongo but not with mongosh
But for
2.
this error occurs because when creating the Certificate Signing Request the IP address was provided via DNS subject alternative names. To resolve this I made my Certificate Signing Request with the IP address as the alternative name.This is not a direct answer to your question however, there is a miss-configuration in your setup.
Problem
Your
mongod
is configured withSo, these
openssl
checks should be OK:However, this connection with
mongosh
(or any other client) should fail:It works only because you set
--tlsAllowInvalidCertificates
in yourmongod
configuration, you may find a warning message inmongod
logfile. Without--tlsAllowInvalidCertificates
option inmongod
the connection attempt should fail.Explanation
Your
mongod
configuration corresponds to thisopenssl
client/server:Parameter pairs
tlsCAFile/tlsCertificateKeyFile
andtlsClusterCAFile/tlsClusterFile
are not used to distinguish between "normal" client connections (e.g. frommongosh
) and internal replica membership connections! They are used to separate between incoming and outgoing connections.Solution
Assuming you don’t use dedicated client certificates, the
mongosh
connection should beHowever, this is a security risk! The client can misuse the certificate and logon as internal replica set member. A malicious client can simply connect with
in order to get full system privileges on the Mongo database.
Better use dedicated client certificate, it would need to be signed like this:
Note, the client certificate subject
O
,OU
,DC
must be different to the internal-certO
,OU
,DC
. Otherwise it is considered as a member certificate.Find a few more details in How Security in MongoDB works (using x.509 cert)