Mongodb operator x.509 tls vault auth failed for $external

I have hopefully small problem, may be can somebody point me in the right direction

I just did clean install with operator - and saw no issues at all.
If I look at the logs, all is good, and I can see tons of connection like this one

{"t":{"$date":"2022-01-25T17:03:54.247+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn356","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: \"1\", mechanism: \"MONGODB-X509\", db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:03:54.247+00:00"},"s":"I", "c":"ACCESS", "id":20429, "ctx":"conn356","msg":"Successfully authenticated","attr":{"user":"O=PSMDB","db":"$external","client":"10.42.1.82:36532"}}

After that, I have followed this blog post Transport Layer Security (TLS) for manually generation of tls certificate, but I do it with hashicorp vault.

I have created certs, looks all also good for me, all are set, all alt_names are given and looks ok -

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7f:e1:a2:b2:7f:06:88:0f:61:7a:3d:84:fd:2f:d8:95:2a:dd:69:ca
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=MY MongoDB Intermediate CA
        Validity
            Not Before: Jan 25 14:57:26 2022 GMT
            Not After : Feb 26 14:57:56 2022 GMT
        Subject: O=PSMDB, CN=staging-psmdb-rs0
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
        X509v3 extensions:
            ...
            X509v3 Subject Alternative Name:
                DNS:*.staging-psmdb-cfg, DNS:*.staging-psmdb-cfg.psmdb, DNS:*.staging-psmdb-cfg.psmdb.svc.cluster.local, DNS:*.staging-psmdb-mongos, DNS:*.staging-psmdb-mongos.psmdb, DNS:*.staging-psmdb-mongos.psmdb.svc.cluster.local, DNS:*.staging-psmdb-rs0, DNS:*.staging-psmdb-rs0.psmdb, DNS:*.staging-psmdb-rs0.psmdb.svc.cluster.local, DNS:staging-psmdb-cfg, DNS:staging-psmdb-cfg.psmdb, DNS:staging-psmdb-cfg.psmdb.svc.cluster.local, DNS:staging-psmdb-mongos, DNS:staging-psmdb-mongos.psmdb, DNS:staging-psmdb-mongos.psmdb.svc.cluster.local, DNS:staging-psmdb-rs0, DNS:staging-psmdb-rs0.psmdb, DNS:staging-psmdb-rs0.psmdb.svc.cluster.local, DNS:localhost
          ....

After recreating of secrets staging-psmdb-ssl-internal staging-psmdb-ssl pods starting, and now I get a following problem -

{"t":{"$date":"2022-01-25T17:58:42.066+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn301","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: \"1\", mechanism: \"MONGODB-X509\", db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:58:42.068+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn301","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: 1, mechanism: \"MONGODB-X509\", user: \"CN=staging-psmdb-rs0\", $db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:58:42.068+00:00"},"s":"I", "c":"ACCESS", "id":20428, "ctx":"conn301","msg":"Failed to authenticate","attr":{"user":"CN=staging-psmdb-rs0@$external","client":"10.42.2.80:57974","mechanism":"MONGODB-X509","error":{"code":18,"codeName":"AuthenticationFailed","errmsg":"No verified subject name available from client"}}}
{"t":{"$date":"2022-01-25T17:58:42.069+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn301","msg":"Connection ended","attr":{"remote":"10.42.2.80:57974","connectionId":301,"connectionCount":6}}
{"t":{"$date":"2022-01-25T17:58:42.083+00:00"},"s":"W", "c":"NETWORK", "id":23235, "ctx":"ReplNetwork","msg":"SSL peer certificate validation failed","attr":{"reason":"unable to get issuer certificate"}}

I think, the problem is certificate Subject that used for x509 authentication - in my case this is CN=staging-psmdb-rs0,O=PSMDB@$external and not O=PSMDB@$external, and I can not remove CN, because in vault it is required field.

Some idea, how I can fix it.
Thanks in advance!

1 Like

Hi @Filipp_Akinfiev,

I don’t think it’s because of CN, since yours look OK to me. One thing I don’t see is extended key usage values of the certificate. It needs to have “TLS Web Client Authentication”. Please check if the certificate conforms to all requirements.

Another thing, does staging-psmdb-ssl-internal and staging-psmdb-ssl contain the same certificate? Mongod pods use the internal secret for x509 authentication. It’s better to double check.

1 Like

Hi @egegunes,
thank you for your response!
After 100500 checks and investigations I got it!
I forgot, that if I use intermediate ca for cert signing, and I need to provide both certs (root-ca & intermediate-ca) as one ca.pem …
And indeed, the CN in the Subject does not affect, and It works well with any values.

2 Likes