How to use pbm-agent with client tls

kylem · July 6, 2021, 10:43pm

Hi there.

I have a Percona replica set with requireTLS, which I would like to backup with pbm. At the moment I am struggling to connect to my cluster when providing tls options in the connection string. I am able to connect using the same options when connecting with the mongo shell.

mongo shell: mongo --authenticationMechanism MONGODB-X509 --tls --host localhost --tlsCertificateKeyFile path/tls.crt --tlsCAFile path/ca.pem

mongod logs:

"NETWORK", "msg":"Connection accepted"
"ACCESS",  "ctx":"conn464","msg":"Authenticate"
"ACCESS",  "msg":"Successfully authenticated"

The above works as expected, and I am in a shell as the user specified in the x509 certificate subject name.

Now, when using pbm: PBM_MONGODB_URI=mongodb://localhost:27017/?tls=true&authenticationMechanism=MONGODB-X509&tlsCertificateKeyFile=path/tls.crt&tlsCAFile=path/ca.pem pbm status

mongod logs:

"NETWORK" "msg":"Connection accepted"
"NETWORK" "msg":"Connection ended"

There are no corresponding ‘ACCESS’ logs.

The error reported by pbm is Error: connect to mongodb: setup a new backups db: ensure cmd collection: (Unauthorized) command create requires authentication

Are there any guides for mTLS connections with pbm?

tra_for · December 5, 2023, 2:33am

I’m also seeing similar issues, pbm-agent works fine with preferTLS but failed when using with my requirement requireTLS. Somehow mongo URI is set to basic auth. the agent container command runs fine. I ran it verbosely, it does set the right URI, however, the export is not updating the environment variable on the container. I’m able to also update the env variable but not the container script. Notice the output below, variable didn’t get updated. Any help is appreciated.

agent container command
bash -x /opt/percona/pbm-entry.sh

+ PBM_MONGODB_URI='mongodb://user:password@localhost:27017/?replicaSet=cfg'
+ MONGO_SSL_DIR=/etc/mongodb-ssl
+ [[ -f /etc/mongodb-ssl/tls.crt ]]
+ [[ -f /etc/mongodb-ssl/tls.key ]]
+ cat /etc/mongodb-ssl/tls.key /etc/mongodb-ssl/tls.crt
+ PBM_MONGODB_URI=mongodb://user:password@localhost:27017/?replicaSet=cfg&tls=true&tlsCertificateKeyFile=%2Ftmp%2Ftls.pem&tlsCAFile=/etc/mongodb-ssl%2Fca.crt&tlsInsecure=true'
+ export PBM_MONGODB_URI
+ exec
bash-4.4$ env | grep PBM_MONGODB_URI
PBM_MONGODB_URI=mongodb://user:password@test-cfg-2

Ivan_Groenewold · December 5, 2023, 12:14pm

Hi, try adding --authenticationDatabase ‘$external’ to your command

tra_for · December 5, 2023, 2:13pm

Hi,
Thanks for responding, maybe this needs a separate post. This seems to be a bug in the agent container script. it’s not setting the environment variable. I ran the script in debug mode above to see what it’s doing.

Ivan_Groenewold · December 7, 2023, 11:27am

Please report the bug at jira.percona.com if you get a chance!

Topic		Replies	Views
Having trouble with pbm-agent and PBM_MONGODB_URI settings Percona Backup for MongoDB	4	781	September 14, 2022
PBM Access on tls encrypted cluster Percona Backup for MongoDB	5	2060	March 5, 2021
Unable to connect to MongoDB with TLS PMM 2.x pmm , mongodb	2	317	April 29, 2024
PBM connection error with TLS bad OCSP signature: crypto/rsa: verification error Percona Backup for MongoDB percona , mongodb , pbm	11	58	September 10, 2024
Issue connecting to TLS cluster using username and password Percona Operator for MongoDB percona , mongodb , closed-no-reply	0	835	April 7, 2022

How to use pbm-agent with client tls

Related topics