MongoDB Cluster upgrade to use SSL/TLS failed

Question

I reproduce MongoDB Cluster replica-set and added user like admin with Non-SSL following below link.

• Link:https://github.com/arun2pratap/mongodbClusterForWindowsOneClick
• Environment:
  • OS: Windows 2019 server ( set all instance in one windows server)
  • 1 mongos ( port : 26000 )
  • 2 shards ( port : sh01: 27011 ~ 27013 / sh02: 27021 ~ 27023 )
  • 1 conf servers ( port : csrs: 26001 ~ 26003 )

After reproduce Cluster with Non-SSL, I tried to upgrade Cluster to use SSL following MongoDB Manual for 4.5 and other links but I couldn't found clear answer or guide.
Below are my refer links.

• https://www.mongodb.com/docs/v4.4/tutorial/upgrade-cluster-to-ssl/
• https://www.mongodb.com/docs/v4.4/tutorial/deploy-replica-set-with-keyfile-access-control/
• https://www.mongodb.com/community/forums/t/cannot-start-mongodb-service-after-configuring-tls/2802
• MongoDB Shell connection errors using test self signed certificates
• https://www.mongodb.com/community/forums/t/creating-openssl-server-certificates-for-testing-failed/109058

I just configured conf files like sh011.conf following manuals, guides and started. but server seems only started csrs instances. because, I couldn't found other instance's port numbers.

1. sh011.conf

sharding:
  clusterRole: shardsvr
replication:
  replSetName: sh01
net:
  bindIpAll: true
  port: 27011
  tls:
    mode: requireTLS
    certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
    CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
systemLog:
  destination: file
  path: sh01/sh011/log/sh011.log
  logAppend: true
storage:
  dbPath: sh01/sh011/db/

2. mongos.conf

sharding:
  configDB: csrs/WIN-BKEV4AO0KED:26001,WIN-BKEV4AO0KED:26002,WIN-BKEV4AO0KED:26003
net:
  bindIpAll: true
  port: 26000
  tls:
    mode: requireTLS
    certificateKeyFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-server1.pem
    CAFile: C:\database\MongoDB\Server\4.4\bin\certifications\test-ca.pem
systemLog:
  destination: file
  path: router/log/mongos.log
  logAppend: true
security:
  authorization: enabled
  clusterAuthMode: x509

3. .netstat -an" output

C:\database\MongoDB\Server\4.4\bin>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5432           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:26001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:26002          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:26003          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING

When I checked log files, each shard nodes occurred SSL error like below

{"t":{"$date":"2022-05-09T14:34:54.933+09:00"},"s":"I",  "c":"NETWORK",  "id":4712102, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"Host failed in replica set","attr":{"replicaSet":"csrs","host":"WIN-BKEV4AO0KED:26001","error":{"code":6,"codeName":"HostUnreachable","errmsg":"Error connecting to WIN-BKEV4AO0KED:26001 (192.168.100.202:26001) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified."},"action":{"dropConnections":true,"requestImmediateCheck":false,"outcome":{"host":":26001","success":false}}}}
{"t":{"$date":"2022-05-09T14:34:55.164+09:00"},"s":"I",  "c":"-",        "id":4333222, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM received failed isMaster","attr":{"host":"WIN-BKEV4AO0KED:26003","error":"HostUnreachable: Error connecting to WIN-BKEV4AO0KED:26003 (192.168.100.202:26003) :: caused by :: SSL peer certificate validation failed: (80096004)The signature of the certificate cannot be verified.","replicaSet":"csrs","isMasterReply":"{}"}}

I thought, that issues cause is relate host names so, I configured hosts file.
Then, re-created certification files for CA, Server, Client following manual.

1. openssl-test-server.conf

[ alt_names ]
DNS.1 = WIN-BKEV4AO0KED
IP.1 = 192.168.100.202

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = AA
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = City
stateOrProvinceName_max = 64

localityName = Locality Name (eg, city)
localityName_default = City
localityName_max = 64

organizationName = Organization Name (eg, company)
organizationName_default = DevCompany
organizationName_max = 64

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Dev
organizationalUnitName_max = 64

commonName = Common Name (eg, YOUR name)
commonName_default = WIN-BKEV4AO0KED
commonName_max = 64

But, still mongos and other instances are not started.
Finally, I think some configuration is wrong. I want know what I missed or wrong for SSL.

Answer 1

Finally, I found what is cause of issue and How to start MongoDB Cluster with SSL Myself.

1st, Root cause is that I couldn't start MongoDB instances like mongos, mongod with SSL enable and missed some parameters while starting like below:

1. before start command

   $ mongod -f csrs1.conf

2. modified start command

   $ mongod -f csrs1.conf --tlsMode requireTLS --tlsCertificateKeyFile test-server1.pem --tlsCAFile test-ca.pem

Note : I was not set MongoDB as service and just control through prompt

When I generated certification base on default setting and start each MongoDB with new command, that was working fine.

And I tried modify START.bat file for convenience like above new command.
But, that was not working. So, I opened prompt for each nodes and executed start command manually.

I hope this information will help.