I believe this is a regression introduced in 4.0.0-rc0. The same automated test of ours that triggered this did not have this problem with 3.7.9. I have seen this happen on Amazon Linux and macOS.
Basically, if I have a PEM key file with a certificate with a subjectAltName component:
$ openssl x509 -in /tmp/mms-automation/test/output/certificates/pem-967246847 -inform PEM -subject -nameopt RFC2253 subject= subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan
And that user exists on the mongod:
MongoDB Enterprise csrs:PRIMARY> db.system.users.find({}) { "_id" : "$external.subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "user" : "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "db" : "$external", "credentials" : { "external" : true }, "roles" : [ { "role" : "backup", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "restore", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
This is what happens when I try to authenticate:
$ /tmp/mms-automation/test/versions/mongodb-linux-x86_64-enterprise-amzn64-4.0.0-rc0/bin/mongo --ssl --sslCAFile /tmp/mms-automation/test/output/certificates/mmsCA.pem --sslPEMKeyFile /tmp/mms-automation/test/output/certificates/pem-967246847 `hostname -f`:9007 MongoDB shell version v4.0.0-rc0 connecting to: mongodb://ip-10-113-168-251.ec2.internal:9007/test MongoDB server version: 4.0.0-rc0 MongoDB Enterprise csrs:PRIMARY> use $external switched to db $external MongoDB Enterprise csrs:PRIMARY> db.auth({mechanism: "MONGODB-X509", user: "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"}) Error: Username "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" does not match the provided client certificate user "2.5.29.17=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" 0