Question Details

No question body available.

Tags

mongodb lets-encrypt

Answers (2)

Accepted Answer Available
Accepted Answer
February 25, 2026 Score: 3 Rep: 60,603 Quality: Expert Completeness: 100%

I guess your problem is a combination of these two issues:

  1. Let's Encrypt does not add extendedKeyUsage=clientAuth anymore

  2. MongoDB server ignored extendedKeyUsage settings for incoming connections - this behavior changed recently.

    Actually, I am the culprit. Sorry for that😏, see extendedKeyUsage not honored in x509 certificates

Documentation of net.tls.clusterFile says:

If net.tls.clusterFile does not specify the .pem file for internal cluster authentication, the cluster uses the .pem file specified in the net.tls.certificateKeyFile setting.

So, you do not specify clusterFile, thus mongod outgoing connection uses certificateKeyFile certificate. However, this is a serverAuth which is not accepted anymore. I think you must set tlsWithholdClientCertificate: true, see tlsWithholdClientCertificate.

And you must set net.tls.allowConnectionsWithoutCertificates: true which you do already.

February 25, 2026 Score: 3 Rep: 60,603 Quality: Medium Completeness: 80%

I see two possible solutions.

Use keyFile for cluster authentication

security:
  keyFile: [path to keyfile]
  clusterAuthMode: keyFile
  authorization: enabled

You can create a keyfile easily for example with openssl:

openssl.exe rand -base64 96 > [path to keyfile]

Create the x509 client certificate by your own

# Create CA certificate
openssl req -x509 -noenc -keyout cluster-CA.key -subj "/CN=cluster-CA" -out cluster-CA.crt -addext "keyUsage=critical,keyCertSign, cRLSign"
Create certificate request

openssl req -new -noenc -keyout cluster.key -subj "/CN=mongoMember/O=Internet Security Research Group/C=US" -addext "keyUsage=digitalSignature,keyEncipherment" -addext "extendedKeyUsage=clientAuth" -out cluster.crs

Sign the certificate request

openssl x509 -req -in cluster.crs -CA cluster-CA.crt -CAkey cluster-CA.key -copy_extensions=copyall -out cluster.crt
Combine key and certificate

cat cluster.crt cluster.key > cluster.pem
Add CA to CA-store

$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
cat cluster-CA.crt >> /etc/pki/tls/cert.pem

Be aware O, OU, and DC of your client certificate subject must be the same in your server certificate you got from Let's Encrypt!

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/mongodb/ssl/private/mongodb-tls.pem
    clusterFile: cluster.pem
    CAFile: /etc/pki/tls/cert.pem
    allowConnectionsWithoutCertificates: true

or if you don't add cluster-CA.crt to /etc/pki/tls/cert.pem

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/mongodb/ssl/private/mongodb-tls.pem
    clusterFile: cluster.pem
    CAFile: /etc/pki/tls/cert.pem
    clusterCAFile: cluster-CA.crt 
    allowConnectionsWithoutCertificates: true

See also How Security in MongoDB works (using x.509 cert)