Creating Replsets,Database and Users with TLS

[svbroeker]

I've discoverd a problem with creating replicasets, databases and users when TLS is enabled and the certificates doesn't include 127.0.0.1 as name.
The mongosh command is using 127.0.0.1 as host to connect but this is not working because the connection via tls doesn't work because the 127.0.0.1 isn't in.

This happens because the listening IPs are used for connections here:

puppet-mongodb/lib/puppet/provider/mongodb.rb

Line 85 in f1affe4

def self.conn_string

this works for nonTLS setups fine but with TLS it may break sometimes.

I think a solution can be that you can define the host for the mongosh to connect to mongodb. In my case it would help that he uses the fqdn to connect.

Error: /Stage[main]/Mongodb::Replset/Mongodb_replset[mongodb-standalone-cm12-dev]: Could not evaluate: Can't connect to any member of replicaset mongodb-standalone-cm12-dev. Error: Could not prefetch mongodb_database provider 'mongodb': Execution of '/usr/bin/mongosh admin --quiet --host 127.0.0.1:27017 --tls --tlsCertificateKeyFile /etc/ssl/mongo/server.pem --eval db.isMaster().ismaster' returned 1: MongoServerSelectionError: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list:
I've now made the work around to set allowInvalidHostnames: true but thats not a good way to handle this.

[svbroeker]

I've an idea to fix this issue but i dont have the experience to know if that works for all cases.

  def self.conn_string
    config = mongo_conf
    bindip = config.fetch('bindip')
    if bindip
      first_ip_in_list = bindip.split(',').first
      ip_real = case first_ip_in_list
                when '0.0.0.0'
                  Facter.value(:fqdn)
                when %r{\[?::0\]?}
                  '::1'
                else
                  first_ip_in_list
                end
    end

[stevenpost]

Isn't this going to be an issue when auth is enabled, as the initial setup needs to happen using localhost? That was the reason I changed the code to how it is now.

[stevenpost]

FWIW, my script to create the certificates adds 127.0.0.1 for this reason. So not sure how to get around this.

[FStelzer]

i think it's problematic that the mongosh command is completely built from the mongod config.
I had net.bindIP: ['::', '0.0.0.0'] and mongosh was trying to connect to :::27017 and complained about an invalid url...

mongosh_cmd has a "host" parameter, but i don't really get where it comes from and often is not passed at all
the is_master fact does much of the same thing, but simply uses facter.fqdn which might be correct but often does not correspond to the domain the clients use to access the cluster.

Either the puppet module should have an option to set the "host" globally for mongosh to connect to.
A maybe simpler (and what i've monkey-patched into my version) way is to only pass --tlsAllowInvalidHostnames to the mongosh puppet commands. This way you can connect to 127.0.0.1
I think it's not a big deal to allow this for the client in puppet. But i don't really want it in the mongod config.