Hi all, I’m new in this community, i hope I created this topic in the right category.
I recently needed to deploy a 3-nodes ReplicaSet and my configuration file is something like this:
systemLog: [...] net: port: XXXXX bindIp: XXXXX tls: mode: requireTLS certificateKeyFile: /mongo/tls/mongo01.pem CAFile: /mongo/tls/ca.pem allowConnectionsWithoutCertificates: true disabledProtocols: TLS1_0,TLS1_1 replication: [...] security: authorization: enabled keyFile: /mongo/tls/member.key authenticationMechanisms: [SCRAM-SHA-1,SCRAM-SHA-256] clusterAuthMode: keyFile storage: [...] processManagement: [...]
I have also created a mongo0X.pem file for every server, as you can notice in the certificateKeyFile flag, every signed by the same internal root CA (ca.pem file).
When I try to start my mongod instances, despite the presence of ‘clusterAuthMode: keyFile’ (that I supposed it should force in some way the usage of the keyfile ONLY), the servers still check each other’s certificate (that i only want to be used by clients to verify the servers’ identities).
This procedure fails because i did not insert the ‘TLS Web Client Authentication’ setting in the certificate itself (returning a SSL invalid certificate purpose).
So my question is, why does MongoDB tries to validate the “between servers” certificates even though I told him not to?
What am I doing wrong/misunderstanding?
Any help is appreciated.