'mongosh'无法连接到MongoDB TLS群集,但'mongo'可以-- MongoServerSelectionError:主机名/IP与证书的替代名称不匹配

vlurs2pr  于 2022-12-12  发布在  Go
关注(0)|答案(1)|浏览(159)

元数据

版本:
Ubuntu焦点
Mongo数据库5.0.14
mongod以args开头:

/usr/bin/mongod --bind_ip_all --replSet=mongodb --auth --tlsCAFile=/etc/mongodb/external-ca.crt --tlsCertificateKeyFile=/etc/mongodb/external-cert.pem --tlsMode=preferTLS --clusterAuthMode=x509 --tlsAllowInvalidCertificates --tlsClusterCAFile=/etc/mongodb/internal-ca.crt --tlsClusterFile=/etc/mongodb/internal-cert.pem

问题

问题:无法通过mongosh连接到启用TLS的副本集
我在具有两个主机的副本集上启用了TLS。当我尝试:

sudo mongosh 'mongodb://<username>:<password>@<my ip>/admin?replicaSet=mongodb'  --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem

我得到:

MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list:

我的日志显示此IP位于"certificateNames"

{"t":{"$date":"2022-12-07T09:05:19.935Z"},"s":"E",  "c":"NETWORK",  "id":23257,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"The server certificate does not match the remote host name","attr":{"remoteHost":"juju-29df15-1","certificateNames":"SAN(s): mongodb-0, juju-29df15-1.lxd, mongodb-0.mongodb-endpoints, <my-ip>, CN:  <my-ip>"}}

我还尝试了什么
如果我使用mongo而不是mongosh

sudo mongo 'mongodb://admin:5zymveLpT3rOlD6WACEuNM0wTJaNJTax@juju-29df15-1.lxd/admin?replicaSet=mongodb'  --tls --tlsCAFile /etc/mongodb/external-ca.crt --tlsCertificateKeyFile /etc/mongodb/external-cert.pem

在记录一些消息后,这看起来会连接,特别是:

connecting to: mongodb://10.23.62.38:27017/admin?compressors=disabled&gssapiServiceName=mongodb&replicaSet=mongodb
{"t":{"$date":"2022-12-07T09:21:01.646Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.652Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.654Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.662Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"js","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
{"t":{"$date":"2022-12-07T09:21:01.664Z"},"s":"W",  "c":"NETWORK",  "id":23237,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"You have an IP Address in the DNS Name field on your certificate. This formulation is deprecated."}
Implicit session: session { "id" : UUID("97e7e144-1bd7-4a94-b33d-958da2507bec") }
MongoDB server version: 5.0.14
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
---
The server generated these startup warnings when booting:
        2022-12-06T16:56:40.822+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
        2022-12-06T16:56:42.686+00:00: While invalid X509 certificates may be used to connect to this server, they will not be considered permissible for authentication
---
---
        Enable MongoDB's free cloud-based monitoring service, which will then receive and display
        metrics about your deployment (disk utilization, CPU, operation statistics, etc).

        The monitoring data will be available on a MongoDB website with a unique URL accessible to you
        and anyone you share the URL with. MongoDB may use this information to make product
        improvements and to suggest MongoDB products and deployment options to you.

        To enable free monitoring, run the following command: db.enableFreeMonitoring()
        To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
mongodb:PRIMARY>

然后我就可以在这个shell中执行命令了。

个问题

所以我有两个问题:
1.为什么可以连接mongo而不能连接mongosh
1.如果可以在"certificateNames"中看到<my-ip>,为什么会出现错误MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: <my ip> is not in the cert's list:

pftdvrlh

pftdvrlh1#

我没有答案1. why can I connect with mongo but not with mongosh
但对于2.,会发生此错误,因为在创建证书签名请求时,IP地址是通过DNS主题备用名称提供的。为了解决此问题,我使用IP地址作为备用名称来创建证书签名请求。

相关问题