代码之家 › 专栏 › 技术社区 › Ashok Reddy

MongoDB副本集成员无法通过SSL加入群集

mongodb-query ssl mongodb

Ashok Reddy · 技术社区 · 6 年前

我已经配置了mongodb replica set,下面3个节点是mongodb.conf文件,replica set成员不能加入集群。

  systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

storage:
  dbPath: /data/iddi
  journal:
    enabled: true

# how the process runs
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
  timeZoneInfo: /usr/share/zoneinfo

net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/CA.pem
      clusterFile: /etc/ssl/mongodb.pem

security:
 keyFile: /opt/mongo-keyfile
# authorization: enabled
 clusterAuthMode: x509


replication:
  replSetName: mongod

下面是主服务器和辅助服务器的日志

    2018-07-03T12:08:56.107+0000 I REPL_HB  [replexec-3] Error in heartbeat (requestId: 8090) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.606+0000 I REPL_HB  [replexec-3] Error in heartbeat (requestId: 8091) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.607+0000 I REPL_HB  [replexec-3] Error in heartbeat (requestId: 8092) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.106+0000 I REPL_HB  [replexec-3] Error in heartbeat (requestId: 8093) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.107+0000 I REPL_HB  [replexec-3] Error in heartbeat (requestId: 8094) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication

辅助服务器日志

2018-07-03T10:48:45.695+0000 I ACCESS   [conn8] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46320 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:48:45.696+0000 I NETWORK  [conn8] end connection 172.17.0.1:46320 (0 connections now open)
2018-07-03T10:48:45.697+0000 I NETWORK  [listener] connection accepted from 172.17.0.1:46328 #9 (1 connection now open)
2018-07-03T10:48:45.702+0000 I NETWORK  [conn9] received client metadata from 172.17.0.1:46328 conn9: { driver: { name: "NetworkInterfaceTL", version: "4.0.0" }, os: { type: "Linux", name: "CentOS Linux release 7.4.1708 (Core) ", architecture: "x86_64", version: "Kernel 3.10.0-862.el7.x86_64" } }
2018-07-03T10:48:45.703+0000 I ACCESS   [conn9]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=mongod", $db: "$external" }
2018-07-03T10:48:45.703+0000 I ACCESS   [conn9] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46328 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:53:35.211+0000 I CONTROL  [LogicalSessionCacheReap] Sessions collection is not set up; waiting until next sessions reap interval: Replication has not yet been configured

1 回复 | 直到 6 年前

nijm 6 年前

用于对群集成员进行内部身份验证的成员证书(在本例中 /etc/ssl/mongodb.pem )键中应该有更多属性 subject . 来自 mongodb docs :

在成员证书主题中找到的可分辨名称(DN)必须至少为以下属性之一指定一个非空值:组织(O)、组织单位(OU)或域组件(DC)。

关于如何生成这些证书,可以找到一个很好的教程(有一些适当的解释)。 here .