MongoDB.live, free & fully virtual. June 9th - 10th. Register Now MongoDB.live, free & fully virtual. June 9th - 10th. Register Now

Cannot upgrade member of a secure replica set

I have a secure replicaset running mongodb 3.2 secured with the following options

net:
  port: 27017
  ssl:
    mode: requireSSL
    PEMKeyFile: /XXX/YYY.pem
    CAFile: /XXX/ZZZ.crt
    clusterFile: /XXX/YYY.pem
    allowInvalidCertificates: true

security:
   authorization: enabled
   clusterAuthMode: x509

I want to upgrade it to mongo 4.0, so basically i need to upgrade it to 3.4 then 3.6 then 4.0.

As requested in mongodb replicaset upgrade tutorial https://docs.mongodb.com/manual/release-notes/3.4-upgrade-replica-set/ i shutdown my secondary, reinstall binary, then restart it.

But once restart, the secondary stay in “not reachable/healty” (from rs.status() on the primary) condition. The only logs i can see in my secondary are :

I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { replSetHeartbeat: "rsProd", configVersion: 34, from: "....", fromId: 5, term: 310 }

It seems that authentication make the replication fail by making my secondary unreachable.

Do i need to downgrade the authorization+x509 first on all the replicaset before upgrading mongodb version on my secondary ?

################## EDIT ###################

As i was unable to upgrade the configuration of this secondary, i decide to downgrade it back to the latest 3.2 version (3.2.22), i was still unable to make it work.
Finally, i put it in exactly the same version as my primary: 3.2.12 and it seems to works again.

I make it work to on version 3.2.16, 3.2.18, 3.2.19, 3.2.20
It seems that the break occurs in version 3.2.21

What is changing in authentication mechanism between version 3.2.20 to 3.2.21 ?

################# SOLUTION ################

Invalid certificates aren’t working anymore for authentication since version 3.2.21 and not 4.0 as specified in the documentation https://docs.mongodb.com/manual/tutorial/configure-x509-member-authentication/

Regenerate certificates and removing ssl.allowInvalidCertificates fixed the problem.

1 Like