Not the answer you need?
Register and ask your own question!

'clusterAuthMode: x509' failing with "Could not find user "CN=mongod1" for db $external"

spiffly423spiffly423 EntrantCurrent User Role Poster
edited September 11 in Percona Server for MongoDB
Greetings,
Using the image percona/percona-server-mongodb:4.2, I am attempting to enable clusterAuthMode: x509 on a replicaset. I have followed the instructions here, making sure my certificates conform to the requirements. Each member is failing to connect to the other two members. Looking through the logs, I'm seeing entries like this:
authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=mongod1", $db: "$external" }
2020-09-11T19:15:50.644+0000 I  ACCESS   [conn10] Failed to authenticate [email protected]$external from client 172.19.62.122:37102 with mechanism MONGODB-X509: UserNotFound: Could not find user "CN=mongod1" for db "$external"

This would suggest that a user with the same name as each connecting member's CN is expected; I've scoured the mongodb documentation and though there is documentation talking about the need for clients to authenticate with an existing user, I see no indication that such a user is needed for internal/membership authentication, which db they should be created on with what privileges, etc.

Is such a user necessary for each member when using x509 auth mode (if so, please point me to the documentation I've apparently overlooked!), or is there perhaps something else I'm missing here? Any help appreciated!

Here is my conf file: (edit: anyone know of a better way to display my conf file? when i wrapped it in code, it put it all in one line...)
***begin***
net:
  port: 17017
  bindIpAll: true
  tls:
    mode: requireTLS
    CAFile: /certs/myCA.pem
    certificateKeyFile: /certs/myCert.pem
replication:
  oplogSizeMB: 4096
  replSetName: set1
  enableMajorityReadConcern: false
setParameter:
  enableLocalhostAuthBypass: true
processManagement:
  fork: "false"
storage:
  dbPath: /data/db
  engine: wiredTiger
  journal:
    enabled: true
  wiredTiger:
    collectionConfig:
      blockCompressor: snappy
    engineConfig:
      directoryForIndexes: true
      cacheSizeGB: 20
security:
  enableEncryption: true
  encryptionKeyFile: /etc/mongodb.keyfile
  authorization: enabled
  clusterAuthMode: x509
***end***
Tagged:

Answers

  • spiffly423spiffly423 Entrant Current User Role Poster
    To put it in a nutshell: does anyone know if a user is needed for each member of a replica set when using `clusterAuthMode: x509`? Seems to be the case, but I'm not finding anything in the documentation that states this, what the user permissions should be, etc.
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.