Problems on M310 / X.509

Michel_Bouchet · November 19, 2020, 10:50am

I am now in a situation where I would like to run this command in the mongo shell and I can’t.

db.getSiblingDB("$external").runCommand({createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, roles: [{role: ‘root’, db:‘admin’}])

At this point I have tried two ways to start mongod on my three servers.

1st)
mongod --replSet TO_BE_SECURED --dbpath ./M310-HW-1.3/r0 --logpath ./M310-HW-1.3/r0/mongodb.log --port 31130 --fork --sslMode requireSSL --clusterAuthMode x509 --sslPEMKeyFile ./shared/certs/server.pem --sslCAFile ./shared/certs/ca.pem

2nd)
mongod --replSet TO_BE_SECURED --dbpath ./M310-HW-1.3/r0 --logpath ./M310-HW-1.3/r0/mongodb.log --port 31130 --fork

Both of those two method seemingly work to start the servers, but neither looks good at the end for what I want.

If I use the first way, then I am able to connect with the mongo shell, using this command:

mongo --host “TO_BE_SECURED/database.m310.mongodb.university:31130” --ssl --sslPEMKeyFile ./shared/certs/client.pem --sslCAFile ./shared/certs/ca.pem

If I use the second way, I am able to connect with the mongo shell, using this command:

mongo --host “TO_BE_SECURED/database.m310.mongodb.university:31130”

But in both case, I can’t run the above command:
db.getSiblingDB("$external").runCommand…

If someone can tell me what I am missing that would be great.

Ramachandra_Tummala · November 19, 2020, 2:12pm

First mongod command is correct as yu need mongod with x509 authentication
Second mongod starts a instacne without any authentication

For mongo use the first command.Don’t use replicaset name in the command
Just use --host database.m310.mongodb.university and give the port separately --port 31130

Is your replica up?how did you initialize
Asking this because you are at user creation step

Michel_Bouchet · November 19, 2020, 3:37pm

Thanks for the reply.

I used the same mongod command for the three servers. Of course changing the port each time as well as the paths. And rs.initiate(…) at some point. But I remember running rs.initiate only once and that seems to be enough. On the other hand I have tried and killed the mongods several times, using variations.

Ramachandra_Tummala · November 20, 2020, 2:06am

ok
Did you try this:

mongo --host database.m310.mongodb.university --port 31130 with rest of the options as you used

Michel_Bouchet · November 20, 2020, 3:51am

Following your indications using:

mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile ./shared/certs/client.pem --sslCAFile ./shared/certs/ca.pem

I was indeed able to get in, but there is still an issue with the command: "db.getSiblingDB …createUser… ". Here is how it goes when I try:

MongoDB Enterprise TO_BE_SECURED:PRIMARY> db.getSiblingDB("$external").runCommand({createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, roles: [{role: ‘root’, db:‘admin’}])
… ^C

MongoDB Enterprise TO_BE_SECURED:PRIMARY>

As you can see I had to hit CTRL-C, or I would wait for ever.

What am I missing?

Michel_Bouchet · November 20, 2020, 6:53am

I finally solved the problem. If you look carefully at my db.getSiblingDB… command you will see that a curly brace is missing.

Thanks for your help anyway!

steevej · November 20, 2020, 2:18pm

The three little dots … is the line continuation prompt, indicating that the command you are entering is not syntactically terminated. Most often, a missing quote or double quote, a missing closing brace or missing closing parenthesis. But as seen in the following example. The missing part can be something else.

> db.test.find( { a : 1 
... , b : 2 } )

Michel_Bouchet · November 21, 2020, 7:09am

Yes. I should have been alerted by the … indeed.
I just didn’t know that.