...
BugZero found this defect 14 days ago.
I tried to setup a replica set using new parameters clusterAuthX509.extensionValue and clusterAuthX509.attributes but they failed. First of all, the documentation is contradicting or at least not clear. In the beginning it says: The server won't start if clusterAuthMode isn't keyFile in your configuration file. Which means, clusterAuthMode must be keyFile, otherwise the server does not start. However, a few lines later you state if your clusterAuthMode is x509, user certificates that use the allowed scheme are conflated with cluster certificates and granted privileged access. Which is not possible, because a few lines above you state, the server would not start at all. Anyway, I use x509, so focus on this. Here are the relevant information about my certificates: openssl x509 -in mongo.server.pem -noout -text Issuer: C=CH, O=Sunrise, OU=OSS, OU=CWP300153, CN=Issuing CA Subject: C=CH, O=Sunrise, OU=OSS, OU=MongoDB, CN=server X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication openssl x509 -in mongo.member.pem -noout -text Issuer: C=CH, O=Sunrise, OU=OSS, OU=CWP300153, CN=Issuing CA Subject: C=CH, O=Sunrise, OU=CWP, OU=localMongoDB, CN=member X509v3 extensions: X509v3 Key Usage: Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication 1.3.6.1.4.1.34601.2.1.2: ..CWP300153.rs.member And here the relevant part of my configuration: net: tls: mode: preferTLS certificateKeyFile: c:\MongoDB\config\mongo.server.pem clusterFile: c:\MongoDB\config\mongo.member.pem CAFile: c:\MongoDB\config\mongo-ca.cer allowConnectionsWithoutCertificates: true clusterAuthX509: extensionValue: CWP300153.rs.member security: clusterAuthMode: x509 I tried different variants, none of them is working: ... clusterAuthX509: attributes: CN=member,OU=localMongoDB,OU=CWP,O=Sunrise,C=CH ... clusterAuthX509: attributes: OU=localMongoDB,OU=CWP,O=Sunrise,C=CH ... clusterAuthX509: extensionValue: CWP300153.rs.member ... clusterAuthX509: extensionValue: something-wrong They all failed with this error: rs.status() { set: 'repSet', members: [ { _id: 0, name: 'localhost:27037', health: 1, state: 2, stateStr: 'SECONDARY', }, { _id: 1, name: 'localhost:27137', health: 0, state: 8, stateStr: '(not reachable/healthy)', lastHeartbeatMessage: 'Could not find user "CN=member,OU=localMongoDB,OU=CWP,O=Sunrise,C=CH" for db "$external"', } ] } When you set both, then the server does not start at all: ... clusterAuthX509: extensionValue: CWP300153.rs.member attributes: OU=localMongoDB,OU=CWP,O=Sunrise,C=CH fails with mongod --config ... { "s": "F", "msg": "Error during global initialization", "attr": { "error": { "errmsg": "net.tls.clusterAuthX509.attributes is not allowed when net.tls.clusterAuthX509.extensionValue is specified" } } } Is it a bug in MongoDB server or is there anything I do wrong?The documentation does not provide any valid examples. Kind Regards Wernfried