Mongodb replication with enforced TLS is failing

hi everyone. I’m in a peculiar situation.

I have a mongodb cluster with replication with this configuration:

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: {{ mongodb_data_dir }}
  journal:
    enabled: true
#  engine:
#  mmapv1:
  wiredTiger:
    engineConfig:
      cacheSizeGB: {{ memory }}

# where to write logging data.
#systemLog:
#  destination: file
 # logAppend: true
 # path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: {{ mongod_port }}
  bindIp: 127.0.0.1,{{ fqdn }}
  ssl:
    mode: requireSSL
    PEMKeyFile: /certs/tls.pem
    CAFile: /certs/tls.crt
    disabledProtocols: TLS1_0,TLS1_1
    allowConnectionsWithoutCertificates: false
    allowInvalidHostnames: false
security:
  authorization: enabled
  keyFile: /conf/mongodb/repl.key
  javascriptEnabled: {{'true' if javascript_enabled else 'false'}}

#operationProfiling:

replication:
  replSetName: {{ replica_set_name }}
  oplogSizeMB: {{ oplog_size_mb }}
  enableMajorityReadConcern: {{'true' if enable_majority_read_concern else 'false'}}

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

TLS is required and the operator which is doing some things is already using the correct certificate.

When replication is kicking in however, suddenly, I’m starting see these:

2021-03-19T16:33:49.630+0000 I  NETWORK  [conn619] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:44320 (connection id: 619)
2021-03-19T16:33:49.630+0000 I  NETWORK  [conn619] end connection 127.0.0.1:44320 (8 connections now open)
2021-03-19T16:33:50.132+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:44350 #620 (9 connections now open)
2021-03-19T16:33:50.132+0000 I  NETWORK  [conn620] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:44350 (connection id: 620)
2021-03-19T16:33:50.132+0000 I  NETWORK  [conn620] end connection 127.0.0.1:44350 (8 connections now open)
2021-03-19T16:33:50.634+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:44360 #621 (9 connections now open)
2021-03-19T16:33:50.634+0000 I  NETWORK  [conn621] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:44360 (connection id: 621)
2021-03-19T16:33:50.634+0000 I  NETWORK  [conn621] end connection 127.0.0.1:44360 (8 connections now open)
2021-03-19T16:33:51.136+0000 I  NETWORK  [listener] connection accepted from 127.0.0.1:44364 #622 (9 connections now open)
2021-03-19T16:33:51.136+0000 I  NETWORK  [conn622] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:44364 (connection id: 622)

I have no idea what this is and where it’s coming from. The localhost connection I mean. It’s not me, so I suspect it’s the replication inside mongo? I have 3 instances. To secondary and a single primary. But the cluster can’t connect and so no-one is primary. I tried specifying a clusterFile too, but that didn’t do anything.

Anyone ever see something like this and might have ANY ideas where or what I can do? I’ve been trying to figure this out for a long time now without luck.

If I set

    allowConnectionsWithoutCertificates: true
    allowInvalidHostnames: true

It works of course, but that is not desirable. :confused:

Any help is much appreciated. :slight_smile:

Welcome to the community!

What is your mongodb version?
Are you using TLS or SSL?
If TLS your config file still pointing to SSL

Have you tried with

TLS:
mode: requireTLS

Hi!

Unfortunately that’s not an option for now, because we have to maintain backwards compatibility with 3.x versions. So switching to TLS is not an option yet. Also, I believe it should work until it’s fully not supported any longer, right?

Or are you suggesting to ALSO add a TLS section next to the SSL one? Also, that has duplicate keys.

Hi @Gergely welcome to the community!

I think the picture is still incomplete here. Could you provide the following information as a starting point:

  1. What is your MongoDB version (please post the output of mongod --version)
  2. What are the output of your rs.status() and rs.conf()
  3. Is replication working currently? What method did you use to discover if it does or does not work?
  4. Did you follow the procedure at Deploy a replica set and Configure mongod and mongos for TLS/SSL ? Are you having issues with any of the procedures currently?

Best regards,
Kevin

1 Like