In server.conf, we had limited the cipher suite thusly:
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256
This list was fine for splunkd, but mongod doesn't like it. We had to temporarily add an additional cipher to the list ("AES256-GCM-SHA384") so that mongod, and thus the 7.2 upgrade migration commands would work. After the upgrade we removed that cipher from all the servers that don't need to run kvstore/mongod.
This is all to meet an TLS hardening requirement to pass a PCI vulnerability scan.
... View more
We had the same problem. The issue turned out to be that we had had to strengthen the TLS cipherSuite on our Splunk boxes to meet PCI requirements. We had to weaken it slightly on the search heads, because mongod unfortunately uses the same cipherSuite that splunkd uses from server.conf, and it wouldn't start w/o an additional cipher. We didn't worry about it on the indexers, etc. that didn't need to run mongod anyway. Unforunately, it needs to be able to start during the 7.2 (maybe just 7.x?) upgrade process to do a kvstore migration, and because it can't, we get the error you got above.
Once we weakened the cipherSuite across the board, the upgrade migration was able to start mongod and proceed.
The confusing thing about it, and what we submitted as a feature request as part of our support case, was that mongod.log has nothing when it fails to start for this reason. This made troubleshooting somewhat difficult.
... View more