we have a problem with the mongo java driver and the monitoring thread.
We are running a 3 server replicaset and connect our spring boot microservices by using the hostnames.
mongodb://<username>:<password>@A:27017,B:27017,C:27017/?tls=true
Up until now we always used the non-reactive mongo driver and everything is working fine. However I now wanted to use the reactive/netty version and we’re getting a java.security.cert.CertificateException because it tries to validate the alternative names by IP instead of the hostnames.
I debugged through the the libraries and were able to see that when the Monitoring threads for Replicaset threads start, they are receiving the {hello: 1} with IPs instead of hostnames.
- Monitoring threads connect through hostnames –> Everything works
- With the first status request of the monitoring threads, they receive the hosts as IPs
- Mongo driver updates replicaset of monitoring cluster with IP addresses and removes hostnames
- New monitoring threads for IPs are started and try hello command
- Command fails because of hostname verification by IP
Seems like this works for non-reactive because the IP is resolved by Inet4Address and therefore gets the correct hostname again.
Does anyone have a solution for this? Apart from
- Adding IPs as alternative names to certificates (IPs may change)
- Allowing invalid hostnames (sslInvalidHostNameAllowed option)
Is there maybe something we configure on server-side so the mongo return hostnames instead of IPs?
Thanky you in advance.
Advertisement
Answer
Apparently our replicaset was misconfigured in one of our environments. The bindIp was set to the ip address and not hostname (which probably makes no difference), but the replicaset was also initialized with ip addresses instead of hostnames.
After updating all members host’s property to the hostname it works like expected.