Homework 1.5: Issue with X.509 user

Hi,

I started the nodes of the cluster with this command:

mongod --replSet database.m310.mongodb.university --dbpath M310-HW-1.5/r0 --logpath M310-HW-1.5/r0/mongodb.log --port 31150 --sslMode allowSSL --sslPEMKeyFile shared/certs/client.pem --sslCAFile shared/certs/ca.pem --keyFile mongodb-keyfile --fork --clusterAuthMode keyFile

and my rs.status is the following:

{
“set” : “database.m310.mongodb.university”,
“date” : ISODate(“2020-11-04T17:50:40.031Z”),
“myState” : 1,
“term” : NumberLong(2),
“heartbeatIntervalMillis” : NumberLong(2000),
“members” : [
{
“_id” : 0,
“name” : “database:31150”,
“health” : 1,
“state” : 1,
“stateStr” : “PRIMARY”,
“uptime” : 1545,
“optime” : {
“ts” : Timestamp(1604510717, 2),
“t” : NumberLong(2)
},
“optimeDate” : ISODate(“2020-11-04T17:25:17Z”),
“electionTime” : Timestamp(1604510717, 1),
“electionDate” : ISODate(“2020-11-04T17:25:17Z”),
“configVersion” : 3,
“self” : true
},
{
“_id” : 1,
“name” : “database.m310.mongodb.university:31151”,
“health” : 1,
“state” : 2,
“stateStr” : “SECONDARY”,
“uptime” : 1529,
“optime” : {
“ts” : Timestamp(1604510717, 2),
“t” : NumberLong(2)
},
“optimeDate” : ISODate(“2020-11-04T17:25:17Z”),
“lastHeartbeat” : ISODate(“2020-11-04T17:50:38.117Z”),
“lastHeartbeatRecv” : ISODate(“2020-11-04T17:50:39.785Z”),
“pingMs” : NumberLong(0),
“syncingTo” : “database:31150”,
“configVersion” : 3
},
{
“_id” : 2,
“name” : “database.m310.mongodb.university:31152”,
“health” : 1,
“state” : 2,
“stateStr” : “SECONDARY”,
“uptime” : 1520,
“optime” : {
“ts” : Timestamp(1604510717, 2),
“t” : NumberLong(2)
},
“optimeDate” : ISODate(“2020-11-04T17:25:17Z”),
“lastHeartbeat” : ISODate(“2020-11-04T17:50:38.117Z”),
“lastHeartbeatRecv” : ISODate(“2020-11-04T17:50:38.804Z”),
“pingMs” : NumberLong(0),
“syncingTo” : “database.m310.mongodb.university:31151”,
“configVersion” : 3
}
],
“ok” : 1
}

When i try to add the user that he need to authenticate with X.509 certificates, MongoDB return the following error:

Cannot create an x.509 user with a subjectname that would be recognized as an internal cluster member.

Maybe the issue is relative to the use the same certificates in the X.509 internal authentication and for X.509 client-server authentication, but I think that i’m using the keyfile for the internal authentication, and not the X.509 certificates. What’s wrong in what i did?

Thanks in advance.

But Homework 1.5 is about X.509
Your clusterAuthmode should be x509
Try to give a different name to replicaset.Any reason why it was named as hostname?
Also your rs.status() shows different names for 3 members.They all should be same

That error occurs if server certificate and client certificate has same OU field but you are not using server certificate
Please check your steps again

1 Like

Thanks for your answer.

The homework asks to use the keyfile authentication for the cluster and allow SCRAM-SHA-1 and X.509 for the communication between client and servers, then the clusterAuthmode = keyfile parameter is right.

You are right that the replicaset name don’t care for the X.509 authentication. I tried another name and the error is the same.

The name to specify for add a member in a cluster is “:”, then they are not equals. Furthermore, basic on my understanding, the hostname must be equals to the hostname in the X.509 certificates. If not, the X.509 doesn’t work.

My question was “Why had i the error on X.509 user when I’m not using the X.509 authentication?”. I don’t know the answer but the error is relative to that I used the same certificate for the client and the server (for a mistake). Then you are right for the error reason. Thanks a lot!