So I have this mongoDB (3.0.x) replicaSet hosted with a cloud provider called "NodeChef".
To my knowledge, and scouring the documentation, I have no access at all to the underlying host(s).
I want to add a host which I fully manage on my own to said replica set. I already contacted NodeChef support and asked for the "full set of credentials" needed for this operation. They answered that I should already have everything needed and that they know of customers running such a configuration.
Now, ideally this solution would work for X.509 authentication, but I would settle for storedKey (SCRAM-SHA1), if that is any easier.
Problem in the X.509 case: For all I know, I will have to have a certificate (private key) which matches the certificate on the existing hosts in both O's and signing CA. I can download the public key file for the CA, so I know this is LetsEncrypt. Connecting to the cluster using openssl s_client instead of mongo client gives me the following:
subject=/CN=*.nodechef.com issuer=/C=US/O=Let's Encrypt/CN=R3
--- Acceptable client certificate CA names /O=Digital Signature Trust Co./CN=DST Root CA X3 /C=US/O=Internet Security Research Group/CN=ISRG
Root X1 /C=US/O=Let's Encrypt/CN=R3
I think I could craft a signing request for that, but I can see no way how to get that signed by the appropriate authority.
Problem in the keyFile case: I have no idea where to get the shared secret which needs to go into the keyfile, despite the support agent telling me I have access to all secrets needed.
I added the new host to the replicaSet according to this documentation: https://docs.mongodb.com/v3.0/reference/method/rs.add/
The error message I get in the storedKey case is always:
I ACCESS [conn2119] SCRAM-SHA-1 authentication failed for __system on local from client 95.179.166.84 ; AuthenticationFailed SCRAM-SHA-1 authentication failed, storedKey mismatch
The rs is running mongoDB 3.0.x. The new host is running in a docker image of mongo:3.0.x on an aws ec2 instance.
Would be grateful for any pointers.
