Percona Backup for MongoDB with SSL/TLS

5 min readJan 12, 2022


In this previous percona blog series, We continuing about Percona Backup for MongDB installation with SSL/TLS

We are going to explain easy ways to configure pbm agent ,

  1. Install the pbm package
  2. Configure the authentication for MongoDB
  3. Configure MongoDB Connection URI for pbm agent

What is Percona backup for MongoDB ?

Percona Backup for MongoDB is the command line interface to take backup and restore mongodb , and we can configure , automate and manage mongodb backup and restore process much easier

But in this we had big trouble with SSL/TLS enabled x509 authentication in mongodb connection

Myself and Krishnakumar Mani struggling to find the solution to take backup of Percona Server for MongoDB long time with SSL/TLS mongodb connection

Without SSL/TLS its working as expected and we are able to take the backup . But with latest ( Percona for MongoDB Version 4 and above ) versions its always throwing unhandled error like below ,

Last error: connection() : x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

After two weeks of troubleshooting , we found issue with SSL connectivity and once we tried to use TLS connection able to take backup and restore successfully .

We will go with one by one steps for configuring the pbm agent

Install the pbm package

In first , We will Install Percona Backup for MongoDB ( pbm ) . Its easiest method install from repository

root@mongoprimary:~# sudo percona-release enable pbm release

Once enabled , update the local package in ubuntu

root@mongoprimary:~# sudo apt update

Next , Install the Percona Backup for MongoDB

root@mongoprimary:~# sudo apt install percona-backup-mongodb

Configure the authentication for MongoDB

To create backup , mongodb authentication is required and for the same needs to create required privileged user and password in mongodb

As per percona sites , create role to perform anyaction on mongodb instance

rs01:PRIMARY> use admin
switched to db admin
rs01:PRIMARY> db.getSiblingDB("admin").createRole(
{ "role": "pbmAnyServerAction",
"privileges": [
{ "resource": { "anyResource": true },
"actions": [ "anyAction" ]}],"roles": []});

Create pbm user and password with required privileges ,

rs01:PRIMARY> db.getSiblingDB("admin").createUser({user: "pbmadmin",
"pwd": "******",
"roles" : [
{ "db" : "admin", "role" : "readWrite", "collection": "" },
{ "db" : "admin", "role" : "backup" },
{ "db" : "admin", "role" : "clusterMonitor" },
{ "db" : "admin", "role" : "restore" },
{ "db" : "admin", "role" : "pbmAnyServerAction" }]});

Configure MongoDB Connection URI for pbm agent

Note : Even for standalone instance , pbm agent URI expects replication parameter needs to be passed . Otherwise we will get the below error,

2022–01–17T16:15:57.000+0000 E [agentCheckup] get replSetGetStatus: get replset status: run mongo command replSetGetStatus: (NoReplicationEnabled) not running with — replSet

In this case enabled replication as rs01 in config file and initialized for single node

We have tried multiple options to configure mongodb connection URI , but unable to setup and run the agent in any ways , we have got connection error as always or with nohup method we need to run the connection URI . But that's not feasible solution to go with ,

Finally one options is suited well to run the agent at any cost without hassles , as mentioned previous blog we are using ubuntu so added mongodb URI connection in environment variable itself ,

root@mongoprimary:~# vi ~/.bashrc# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
export PBM_MONGODB_URI="mongodb://pbmadmin:****@mongoprimary:27017/?authSource=admin&replicaSet=rs01&tls=true&tlsCAFile=/etc/mongodb/ssl/mongoCA.crt&tlsCertificateKeyFile=/etc/mongodb/ssl/mongoprimary.pem"
# Below command is to ignore common error in openssl
export GODEBUG=x509ignoreCN=0
root@mongoprimary:~# vi /etc/default/pbm-agentAdd below line and change permission for pbm-agent file export PBM_MONGODB_URI="mongodb://pbmadmin:****@mongoprimary:27017/?authSource=admin&replicaSet=rs01&tls=true&tlsCAFile=/etc/mongodb/ssl/mongoCA.crt&tlsCertificateKeyFile=/etc/mongodb/ssl/mongoprimary.pem"
chown pbm:pbm /etc/default/pbm-agent
And restart the pbm-agent service

We have tested with multiple reboot and stop start service of pbm agent , pbm commands are working as expected

As per the percona , we need to configure the systemctl service as well

In ubnutu edit the /lib/systemd/system/pbm-agent.service file with below details ,




Once everything is ready , prepare the configuration YAML file to take backup wherever we required ,

  1. Create pbm_config.yaml configuration file , as per our requirement taking backup into Azure Blobs . Also we can take backup into local file system and AWS S3
"mongoprimary:27017": 0.5
enabled: true
oplogSpanMin: 5
type: azure
account: *********
container: *********
prefix: pbm
key: *********
batchSize: 500
numInsertionWorkers: 10

Including backup additional parameters are configured , please go though those in official link

2. Insert the configuration values to take backup

root@mongoprimary:~# chown -R pbm:pbm pbm_config.yamlroot@mongoprimary:~# pbm config --file pbm_config.yaml

3.Start the pbm agent service and if any errors please check in logs

root@mongoprimary:~# sudo systemctl start pbm-agentroot@mongoprimary:~# sudo systemctl enable pbm-agentIf any errors ,root@mongoprimary:~# journalctl -u pbm-agent.service

4.Verify the pbm status

root@mongoprimary:# pbm status
- rs01/mongoprimary:27017: pbm-agent v1.6.1 OK
PITR incremental backup:
Status [ON]
Currently running:
Azure 'https://*******************/pbm'
2022-01-12T10:01:06Z 136.49KB [complete: 2022-01-12T10:01:11]
2022-01-12T09:53:09Z 134.82KB [complete: 2022-01-12T09:53:14]
2022-01-12T09:41:12Z 132.46KB [complete: 2022-01-12T09:41:17]
2022-01-12T09:38:17Z 131.05KB [complete: 2022-01-12T09:38:22]
2022-01-12T08:51:19Z 125.26KB [complete: 2022-01-12T08:51:23]

Once all setup completed . we can proceed the backup to remote storage

5.Take the backup

root@db-mongodb-primary:# pbm backup
Starting backup '2022-01-12T10:01:06Z'...
Backup '2022-01-12T10:01:06Z' to remote store 'https://****/pbm' has started

6.Once backup is completed we can list completed backups

root@db-mongodb-primary:# pbm list
Backup snapshots:
2022-01-12T08:50:56Z [complete: 2022-01-12T08:51:00]
2022-01-12T08:51:19Z [complete: 2022-01-12T08:51:23]
2022-01-12T09:38:17Z [complete: 2022-01-12T09:38:22]
2022-01-12T09:41:12Z [complete: 2022-01-12T09:41:17]
2022-01-12T09:53:09Z [complete: 2022-01-12T09:53:14]
PITR <on>:
2022-01-09T16:04:49 - 2022-01-12T09:53:14

Also , in our production system configured the backup for cluster environment , Below is the pbm status for reference

root@db-mongodb-primary:# pbm status
- ust-replication/mongodbprimary:27017: pbm-agent v1.6.1 OK
- ust-replication/mongodbreplica01:27017: pbm-agent v1.6.1 OK
PITR incremental backup:
Status [ON]
Currently running:
Azure https://******************/pbm
2022-01-12T10:01:06Z 136.49KB [complete: 2022-01-12T10:01:11]
2022-01-12T09:53:09Z 134.82KB [complete: 2022-01-12T09:53:14]
2022-01-12T09:41:12Z 132.46KB [complete: 2022-01-12T09:41:17]
2022-01-12T09:38:17Z 131.05KB [complete: 2022-01-12T09:38:22]
PITR chunks [288.20KB]:
2022-01-09T16:04:49 - 2022-01-12T10:16:18

References :