mongodb - mongodb 副本集成员无法通过 SSL 加入集群
问题描述
我已经配置了3个节点的MongoDB副本集,下面是MongoDB.conf文件,副本集成员无法加入集群。
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
storage:
dbPath: /data/iddi
journal:
enabled: true
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/CA.pem
clusterFile: /etc/ssl/mongodb.pem
security:
keyFile: /opt/mongo-keyfile
# authorization: enabled
clusterAuthMode: x509
replication:
replSetName: mongod
以下是主服务器和辅助服务器的日志
2018-07-03T12:08:56.107+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8090) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.606+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8091) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.607+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8092) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.106+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8093) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.107+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8094) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
辅助服务器日志
2018-07-03T10:48:45.695+0000 I ACCESS [conn8] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46320 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:48:45.696+0000 I NETWORK [conn8] end connection 172.17.0.1:46320 (0 connections now open)
2018-07-03T10:48:45.697+0000 I NETWORK [listener] connection accepted from 172.17.0.1:46328 #9 (1 connection now open)
2018-07-03T10:48:45.702+0000 I NETWORK [conn9] received client metadata from 172.17.0.1:46328 conn9: { driver: { name: "NetworkInterfaceTL", version: "4.0.0" }, os: { type: "Linux", name: "CentOS Linux release 7.4.1708 (Core) ", architecture: "x86_64", version: "Kernel 3.10.0-862.el7.x86_64" } }
2018-07-03T10:48:45.703+0000 I ACCESS [conn9] authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=mongod", $db: "$external" }
2018-07-03T10:48:45.703+0000 I ACCESS [conn9] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46328 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:53:35.211+0000 I CONTROL [LogicalSessionCacheReap] Sessions collection is not set up; waiting until next sessions reap interval: Replication has not yet been configured
解决方案
用于集群成员内部身份验证的成员证书(在这种情况下/etc/ssl/mongodb.pem)应该在密钥中有更多属性subject。从mongodb 文档:
在成员证书的主题中找到的专有名称 (DN) 必须为以下属性中的至少一个指定非空值:组织 (O)、组织单元 (OU) 或域组件 (DC)。
可以在此处找到有关如何生成这些证书的一个很好的教程(带有一些适当的解释) 。
推荐阅读
- google-cloud-platform - Instance Group 不会使用 GPU 创建实例:没有足够的资源
- sql - 当另一个表被更新时触发更新同一个表中的值
- python - 使用 Elastisearch 中的脚本进行更新
- angular - Angular Material 7 Datepicker:禁用多年视图
- excel - 用于重复条件合并和求和的 Excel VBA
- react-native - React Native / 使用字符串作为 FlatList 中的数据?
- javascript - How to wait untill for (append) finished and then show result javascirpt / jquery
- java - 如何将 JTextField 中的输入转换为日期?
- python - 如何在 django 中显示来自 2 个模型的数据,并在模板中使用一对多的关系
- view - Layout inflater with DialogFragment