skip to Main Content

Metadata

Versions:

Ubuntu focal

MongoDB 5.0.14

mongod started with args:

/usr/bin/mongod --bind_ip_all --replSet=mongodb --auth --tlsCAFile=/etc/mongodb/external-ca.crt --tlsCertificateKeyFile=/etc/mongodb/external-cert.pem --tlsMode=preferTLS --clusterAuthMode=x509 --tlsAllowInvalidCertificates --tlsClusterCAFile=/etc/mongodb/internal-ca.crt --tlsClusterFile=/etc/mongodb/internal-cert.pem

Problem

Problem: Cannot connect to replica set with TLS enabled via mongosh

I have TLS enabled on a replica set with two hosts. When I try:

sudo mongosh 'mongodb://<username>:<password>@<my ip>/admin?replicaSet=mongodb'  --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem

I get:

MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list:

My logs show that this IP is in "certificateNames":

{"t":{"$date":"2022-12-07T09:05:19.935Z"},"s":"E",  "c":"NETWORK",  "id":23257,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"The server certificate does not match the remote host name","attr":{"remoteHost":"juju-29df15-1","certificateNames":"SAN(s): mongodb-0, juju-29df15-1.lxd, mongodb-0.mongodb-endpoints, <my-ip>, CN:  <my-ip>"}}

What else I tried

if I use mongo instead of mongosh:

sudo mongo 'mongodb://admin:[email protected]/admin?replicaSet=mongodb'  --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem

this appears to connect after logging some messages, specifically:

connecting to: mongodb://10.23.62.38:27017/admin?compressors=disabled&gssapiServiceName=mongodb&replicaSet=mongodb
{"t":{"$date":"2022-12-07T09:21:01.646Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.652Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.654Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.662Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"js","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.664Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
Implicit session: session { "id" : UUID("97e7e144-1bd7-4a94-b33d-958da2507bec") }
MongoDB server version: 5.0.14
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
---
The server generated these startup warnings when booting:
        2022-12-06T16:56:40.822+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
        2022-12-06T16:56:42.686+00:00: While invalid X509 certificates may be used to connect to this server, they will not be considered permissible for authentication
---
---
        Enable MongoDB's free cloud-based monitoring service, which will then receive and display
        metrics about your deployment (disk utilization, CPU, operation statistics, etc).

        The monitoring data will be available on a MongoDB website with a unique URL accessible to you
        and anyone you share the URL with. MongoDB may use this information to make product
        improvements and to suggest MongoDB products and deployment options to you.

        To enable free monitoring, run the following command: db.enableFreeMonitoring()
        To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
mongodb:PRIMARY>

And then I can execute commands in this shell (yay).

Questions

So I have two questions:

  1. why can I connect with mongo but not with mongosh
  2. why am I getting the error MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list: if I can see <my-ip> in "certificateNames"?

2

Answers


  1. Chosen as BEST ANSWER

    I have no answer for 1. why can I connect with mongo but not with mongosh

    But for 2. this error occurs because when creating the Certificate Signing Request the IP address was provided via DNS subject alternative names. To resolve this I made my Certificate Signing Request with the IP address as the alternative name.


  2. This is not a direct answer to your question however, there is a miss-configuration in your setup.

    Problem

    Your mongod is configured with

    --tlsCAFile=/etc/mongodb/external-ca.crt
    --tlsCertificateKeyFile=/etc/mongodb/external-cert.pem
    --tlsClusterCAFile=/etc/mongodb/internal-ca.crt
    --tlsClusterFile=/etc/mongodb/internal-cert.pem
    

    So, these openssl checks should be OK:

    cd /etc/mongodb
    openssl verify -CAfile ./external-ca.crt ./external-cert.pem
    openssl verify -CAfile ./internal-ca.crt ./internal-cert.pem
    

    However, this connection with mongosh (or any other client) should fail:

    cd /etc/mongodb
    mongosh --tls --tlsCAFile ./external-ca.crt --tlsCertificateKeyFile ./external-cert.pem
    

    It works only because you set --tlsAllowInvalidCertificates in your mongod configuration, you may find a warning message in mongod logfile. Without --tlsAllowInvalidCertificates option in mongod the connection attempt should fail.

    Explanation

    Your mongod configuration corresponds to this openssl client/server:

    cd /etc/mongodb
    # simulate mongod server:
    openssl s_server -CAfile ./internal-ca.crt -cert ./external-cert.pem
    
    ## open another terminal ##
    
    cd /etc/mongodb
    # -> simulate connection from other replica set member:
    openssl s_client -CAfile ./external-ca.crt -cert ./internal-cert.pem -quiet -no_ign_eof -status <<< Q
    # Should be OK
    
    # -> simulate connection from mongosh:
    openssl s_client -CAfile ./external-ca.crt -cert ./external-cert.pem -quiet -no_ign_eof -status <<< Q
    # Should fail
    

    Parameter pairs tlsCAFile/tlsCertificateKeyFile and tlsClusterCAFile/tlsClusterFile are not used to distinguish between "normal" client connections (e.g. from mongosh) and internal replica membership connections! They are used to separate between incoming and outgoing connections.

    Solution

    Assuming you don’t use dedicated client certificates, the mongosh connection should be

    cd /etc/mongodb
    mongosh --tls --tlsCAFile ./external-ca.crt --tlsCertificateKeyFile ./internal-cert.pem 'mongodb://<username>:<password>@<my ip>/admin?replicaSet=mongodb'
    

    However, this is a security risk! The client can misuse the certificate and logon as internal replica set member. A malicious client can simply connect with

    cd /etc/mongodb
    mongosh --tls --tlsCAFile ./external-ca.crt --tlsCertificateKeyFile ./internal-cert.pem --authenticationMechanism X509 'mongodb://<my ip>/admin?replicaSet=$external'
    

    in order to get full system privileges on the Mongo database.

    Better use dedicated client certificate, it would need to be signed like this:

    openssl x509 -in client-cert.csr -CA internal-ca.crt -CAkey internal-ca.key -out client-cert.crt  ...
    
    mongosh --tls --tlsCAFile ./external-ca.crt --tlsCertificateKeyFile ./client-cert.pem
    

    Note, the client certificate subject O, OU, DC must be different to the internal-cert O, OU, DC. Otherwise it is considered as a member certificate.

    Find a few more details in How Security in MongoDB works (using x.509 cert)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search