我已经配置了MongoDB副本集,其中以下3个节点是MongoDB.conf文件,副本集成员无法加入集群。
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
storage:
dbPath: /data/iddi
journal:
enabled: true
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/CA.pem
clusterFile: /etc/ssl/mongodb.pem
security:
keyFile: /opt/mongo-keyfile
# authorization: enabled
clusterAuthMode: x509
replication:
replSetName: mongod
以下是主服务器和辅助服务器的日志
2018-07-03T12:08:56.107+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8090) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.606+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8091) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:56.607+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8092) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.106+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8093) to node2.mongod:27019, response status: Unauthorized: command replSetHeartbeat requires authentication
2018-07-03T12:08:57.107+0000 I REPL_HB [replexec-3] Error in heartbeat (requestId: 8094) to node1.mongod:27018, response status: Unauthorized: command replSetHeartbeat requires authentication
辅助服务器日志
2018-07-03T10:48:45.695+0000 I ACCESS [conn8] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46320 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:48:45.696+0000 I NETWORK [conn8] end connection 172.17.0.1:46320 (0 connections now open)
2018-07-03T10:48:45.697+0000 I NETWORK [listener] connection accepted from 172.17.0.1:46328 #9 (1 connection now open)
2018-07-03T10:48:45.702+0000 I NETWORK [conn9] received client metadata from 172.17.0.1:46328 conn9: { driver: { name: "NetworkInterfaceTL", version: "4.0.0" }, os: { type: "Linux", name: "CentOS Linux release 7.4.1708 (Core) ", architecture: "x86_64", version: "Kernel 3.10.0-862.el7.x86_64" } }
2018-07-03T10:48:45.703+0000 I ACCESS [conn9] authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=mongod", $db: "$external" }
2018-07-03T10:48:45.703+0000 I ACCESS [conn9] Failed to authenticate CN=mongod@$external from client 172.17.0.1:46328 with mechanism MONGODB-X509: UserNotFound: Could not find user CN=mongod@$external
2018-07-03T10:53:35.211+0000 I CONTROL [LogicalSessionCacheReap] Sessions collection is not set up; waiting until next sessions reap interval: Replication has not yet been configured
答案 0 :(得分:2)
用于集群成员的内部身份验证的成员证书(在这种情况下为/etc/ssl/mongodb.pem)在密钥subject中应具有更多属性。来自mongodb docs:
在成员证书的主题中找到的专有名称(DN),必须为以下属性中的至少一个指定非空值:组织(O),组织单位(OU)或域组件(DC) )。
可以here找到关于如何生成这些证书的很好的教程(带有适当的解释)。