SSL peer certificate validation failed

jamoser · July 26, 2021, 7:47pm

Operator 1.7.0: ok

Operator 1.8.0, 1.9.0:

{“t”:{“$date”:“2021-07-26T19:43:45.329+00:00”},“s”:“W”, “c”:“NETWORK”, “id”:23235, “ctx”:“conn140”,“msg”:“SSL peer certificate validation failed”,“attr”:{“reason”:“certificate signature failure”}}

The ssl certs are all ok.

Sergey_Pronin · July 27, 2021, 6:56am

Hey @jamoser ,

please provide more details about your deployment. k8s flavor/version, its components, cr.yaml, etc.
I cannot reproduce it on GKE with default cr.yaml.

jamoser · July 27, 2021, 8:09am

Environment : GKE plain vanilla
Installed Operator 1.7.0 in namespace X : ok
Installed Operator 1.8.0 resp 1.9.0 in namespace Y resp. Z : nok
Installation done according to Percona

Installation 1.8.0 and 1.9.0: both the cfg and mongos show the error above but the certificates (ssl/ssl-internal) are ok and match.

If I replace in the installation 1.8.0 and 1.9.0 the operator version number with 1.7.0 then both installations work (they then just run the 1.7.0 operator).

jamoser · July 27, 2021, 7:21pm

Providing the solution again

The cluster name as well as the associated secrets must follow a certain pattern:

{“t”:{“$date”:“2021-07-27T19:07:00.703+00:00”},“s”:“W”, “c”:“NETWORK”, “id”:23238, “ctx”:“ShardRegistry”,“msg”:“The server certificate does not match the remote host name”,“attr”:{“remoteHost”:“x-mongodb-01-cluster-cfg-0.x-mongodb-01-cluster-cfg.performance-mongodb-01.svc.cluster.local”,“certificateNames”:"SAN(s): localhost, my-cluster-name-rs0, my-cluster-name-rs0.psmdb, my-cluster-name-rs0.psmdb.svc.cluster.local, *.my-cluster-name-rs0, *.my-cluster-name-rs0.psmdb, *.my-cluster-name-rs0.psmdb.svc.cluster.local, my-cluster-name-mongos, my-cluster-name-mongos.psmdb, my-cluster-name-mongos.psmdb.svc.cluster.local, *.my-cluster-name-mongos, *.my-cluster-name-mongos.psmdb, *.my-cluster-name-mongos.psmdb.svc.cluster.local, my-cluster-name-cfg, my-cluster-name-cfg.psmdb, my-cluster-name-cfg.psmdb.svc.cluster.local, *.my-cluster-name-cfg, *.my-cluster-name-cfg.psmdb, *.my-cluster-name-cfg.psmdb.svc.cluster.local, "}}

I renamed the cluster name as well as the associated secret names from x-mongodb-01-cluster to x-mongodb01-cluster.

Sergey_Pronin · July 28, 2021, 8:29am

Thanks for sharing, John.

Topic		Replies	Views
V.1.5.0 operator Ssl hadnshake issue Percona Operator for MongoDB bugs , mongodb	1	1411	November 2, 2020
SSL peer certificate validation failed {"reason":"certificate signature failure"} Percona Operator for MongoDB	0	21	November 7, 2024
Basic cluster with TLS not working, operator k8s/helm setup Percona Server for MongoDB mongodb , psmdb-operator	18	2953	December 18, 2022
Logs flooded with ssl messages Percona Operator for MongoDB	8	2469	May 20, 2024
Percona MonogDB Cluster Fails when enabling TLS Percona Operator for MongoDB	3	185	June 5, 2024

SSL peer certificate validation failed

Related topics