I have hopefully small problem, may be can somebody point me in the right direction
I just did clean install with operator - and saw no issues at all.
If I look at the logs, all is good, and I can see tons of connection like this one
{"t":{"$date":"2022-01-25T17:03:54.247+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn356","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: \"1\", mechanism: \"MONGODB-X509\", db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:03:54.247+00:00"},"s":"I", "c":"ACCESS", "id":20429, "ctx":"conn356","msg":"Successfully authenticated","attr":{"user":"O=PSMDB","db":"$external","client":"10.42.1.82:36532"}}
After that, I have followed this blog post Transport Layer Security (TLS) for manually generation of tls certificate, but I do it with hashicorp vault.
I have created certs, looks all also good for me, all are set, all alt_names are given and looks ok -
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:e1:a2:b2:7f:06:88:0f:61:7a:3d:84:fd:2f:d8:95:2a:dd:69:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=MY MongoDB Intermediate CA
Validity
Not Before: Jan 25 14:57:26 2022 GMT
Not After : Feb 26 14:57:56 2022 GMT
Subject: O=PSMDB, CN=staging-psmdb-rs0
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
X509v3 extensions:
...
X509v3 Subject Alternative Name:
DNS:*.staging-psmdb-cfg, DNS:*.staging-psmdb-cfg.psmdb, DNS:*.staging-psmdb-cfg.psmdb.svc.cluster.local, DNS:*.staging-psmdb-mongos, DNS:*.staging-psmdb-mongos.psmdb, DNS:*.staging-psmdb-mongos.psmdb.svc.cluster.local, DNS:*.staging-psmdb-rs0, DNS:*.staging-psmdb-rs0.psmdb, DNS:*.staging-psmdb-rs0.psmdb.svc.cluster.local, DNS:staging-psmdb-cfg, DNS:staging-psmdb-cfg.psmdb, DNS:staging-psmdb-cfg.psmdb.svc.cluster.local, DNS:staging-psmdb-mongos, DNS:staging-psmdb-mongos.psmdb, DNS:staging-psmdb-mongos.psmdb.svc.cluster.local, DNS:staging-psmdb-rs0, DNS:staging-psmdb-rs0.psmdb, DNS:staging-psmdb-rs0.psmdb.svc.cluster.local, DNS:localhost
....
After recreating of secrets staging-psmdb-ssl-internal staging-psmdb-ssl pods starting, and now I get a following problem -
{"t":{"$date":"2022-01-25T17:58:42.066+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn301","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: \"1\", mechanism: \"MONGODB-X509\", db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:58:42.068+00:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn301","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: 1, mechanism: \"MONGODB-X509\", user: \"CN=staging-psmdb-rs0\", $db: \"$external\" }"}}
{"t":{"$date":"2022-01-25T17:58:42.068+00:00"},"s":"I", "c":"ACCESS", "id":20428, "ctx":"conn301","msg":"Failed to authenticate","attr":{"user":"CN=staging-psmdb-rs0@$external","client":"10.42.2.80:57974","mechanism":"MONGODB-X509","error":{"code":18,"codeName":"AuthenticationFailed","errmsg":"No verified subject name available from client"}}}
{"t":{"$date":"2022-01-25T17:58:42.069+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn301","msg":"Connection ended","attr":{"remote":"10.42.2.80:57974","connectionId":301,"connectionCount":6}}
{"t":{"$date":"2022-01-25T17:58:42.083+00:00"},"s":"W", "c":"NETWORK", "id":23235, "ctx":"ReplNetwork","msg":"SSL peer certificate validation failed","attr":{"reason":"unable to get issuer certificate"}}
I think, the problem is certificate Subject that used for x509 authentication - in my case this is CN=staging-psmdb-rs0,O=PSMDB@$external and not O=PSMDB@$external, and I can not remove CN, because in vault it is required field.
Some idea, how I can fix it.
Thanks in advance!