SSL peer certificate validation failed

Operator 1.7.0: ok

Operator 1.8.0, 1.9.0:

{“t”:{"$date":“2021-07-26T19:43:45.329+00:00”},“s”:“W”, “c”:“NETWORK”, “id”:23235, “ctx”:“conn140”,“msg”:“SSL peer certificate validation failed”,“attr”:{“reason”:“certificate signature failure”}}

The ssl certs are all ok.

1 Like

Hey @jamoser ,

please provide more details about your deployment. k8s flavor/version, its components, cr.yaml, etc.
I cannot reproduce it on GKE with default cr.yaml.

1 Like

Environment : GKE plain vanilla
Installed Operator 1.7.0 in namespace X : ok
Installed Operator 1.8.0 resp 1.9.0 in namespace Y resp. Z : nok
Installation done according to Percona

Installation 1.8.0 and 1.9.0: both the cfg and mongos show the error above but the certificates (ssl/ssl-internal) are ok and match.

If I replace in the installation 1.8.0 and 1.9.0 the operator version number with 1.7.0 then both installations work (they then just run the 1.7.0 operator).

1 Like

Providing the solution again

The cluster name as well as the associated secrets must follow a certain pattern:

{“t”:{"$date":“2021-07-27T19:07:00.703+00:00”},“s”:“W”, “c”:“NETWORK”, “id”:23238, “ctx”:“ShardRegistry”,“msg”:“The server certificate does not match the remote host name”,“attr”:{“remoteHost”:“x-mongodb-01-cluster-cfg-0.x-mongodb-01-cluster-cfg.performance-mongodb-01.svc.cluster.local”,“certificateNames”:"SAN(s): localhost, my-cluster-name-rs0, my-cluster-name-rs0.psmdb, my-cluster-name-rs0.psmdb.svc.cluster.local, *.my-cluster-name-rs0, *.my-cluster-name-rs0.psmdb, *.my-cluster-name-rs0.psmdb.svc.cluster.local, my-cluster-name-mongos, my-cluster-name-mongos.psmdb, my-cluster-name-mongos.psmdb.svc.cluster.local, *.my-cluster-name-mongos, *.my-cluster-name-mongos.psmdb, *.my-cluster-name-mongos.psmdb.svc.cluster.local, my-cluster-name-cfg, my-cluster-name-cfg.psmdb, my-cluster-name-cfg.psmdb.svc.cluster.local, *.my-cluster-name-cfg, *.my-cluster-name-cfg.psmdb, *.my-cluster-name-cfg.psmdb.svc.cluster.local, "}}

I renamed the cluster name as well as the associated secret names from x-mongodb-01-cluster to x-mongodb01-cluster.

1 Like

Thanks for sharing, John.

1 Like