x509: certificate specifies an incompatible key usage

[MartinCanovas]

The x509 certs works well when securing connections to Ops Manager. However, when enabling TLS in the Project, Ops Manager UI -> Authentication & TLS, the status of deployments show the "red square" even though all agent still show the "green circle" status.

The monitoring-agent.log shows:

[metrics.status.collector-n3.omansible.int:27017.error] [monitoring/collector.go:looper:284] Failure during status metrics collection. Will retry after 10s.
Failed to get connectionStatus. Err: server selection error: server selection timeout
current topology: Type: Single
Servers:
Addr: n3.omansible.int:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: certificate specifies an incompatible key usage

    at cm/monitoring/dialing.go:491
    at cm/monitoring/dialing.go:240
    at cm/monitoring/dialing.go:351
    at cm/monitoring/dialing.go:368
    at louisaberger/procexec/concurrency.go:45
    at src/runtime/asm_amd64.s:1373

I haven't tested it but I believe this issue might be resolved by removing the following lines from the certs:

X509v3 Extended Key Usage:
                TLS Web Client Authentication

[emisca]

@MartinCanovas could you please clarify which certs you have specified in your automation config?

Each container has a client and a server pem file. the server pem file has to be used in net.tls.certificateKeyFile the client one in net.tls.clusterFile. The client cert needs to be used for the agents too (for automation, monitoring and backups).

If you set the project correctly the certs will work fine. I use it often and all works good.

Maybe it needs more explicit documentation to avoid mistakes.

[MartinCanovas]

I see. After replacing the client.pem with server.pem for the net.tls.certificateKeyFile option it is working now. Thanks.