I have a secure replicaset running mongodb 3.2 secured with the following options
net:
port: 27017
ssl:
mode: requireSSL
PEMKeyFile: /XXX/YYY.pem
CAFile: /XXX/ZZZ.crt
clusterFile: /XXX/YYY.pem
allowInvalidCertificates: true
security:
authorization: enabled
clusterAuthMode: x509
I want to upgrade it to mongo 4.0, so basically i need to upgrade it to 3.4 then 3.6 then 4.0.
As requested in mongodb replicaset upgrade tutorial https://docs.mongodb.com/manual/release-notes/3.4-upgrade-replica-set/ i shutdown my secondary, reinstall binary, then restart it.
But once restart, the secondary stay in “not reachable/healty” (from rs.status() on the primary) condition. The only logs i can see in my secondary are :
I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "rsProd", configVersion: 34, from: "....", fromId: 5, term: 310 }
It seems that authentication make the replication fail by making my secondary unreachable.
Do i need to downgrade the authorization+x509 first on all the replicaset before upgrading mongodb version on my secondary ?
################## EDIT ###################
As i was unable to upgrade the configuration of this secondary, i decide to downgrade it back to the latest 3.2 version (3.2.22), i was still unable to make it work.
Finally, i put it in exactly the same version as my primary: 3.2.12 and it seems to works again.
I make it work to on version 3.2.16, 3.2.18, 3.2.19, 3.2.20
It seems that the break occurs in version 3.2.21
What is changing in authentication mechanism between version 3.2.20 to 3.2.21 ?
################# SOLUTION ################
Invalid certificates aren’t working anymore for authentication since version 3.2.21 and not 4.0 as specified in the documentation https://docs.mongodb.com/manual/tutorial/configure-x509-member-authentication/
Regenerate certificates and removing ssl.allowInvalidCertificates fixed the problem.