Hello,I am trying to enable TLS for the Redis cluster on Centos 7 with version 6.0.5. I am able to bring the Redis service up and running but when I tried to connect to redis-cli. I am not able to. I attached my config file and below is the error I am getting
redis-cli --tls --cert /etc/redis/server_certificate.pem --key /etc/redis/server_key.pem --cacert /etc/redis/ca_certificate.pem -a testWarning: Using a password with '-a' or '-u' option on the command line interface may not be safe.Could not connect to Redis at 127.0.0.1:6379: SSL_connect failed: sslv3 alert unsupported certificatenot connected>Can someone please help me to get this fixed.Thanks,Nandeep
Hello,Can Someone please help me.Thanks,Nandeep
Hello Itamar,Please find the Redis.conf file and all the Self-signed certs which I am using for testing this feature. I generated the certs using the following..
git clone https://github.com/michaelklishin/tls-gen tls-gen && cd tls-gen/basic
make PASSWORD="" CN="" DAYS_OF_VALIDITY=1825 NUMBER_OF_PRIVATE_KEY_BITS=4096
cd result && openssl dhparam -out dhparam.pem 4096 && sudo mv *.pem /etc/redisThanks,
Hello,Thanks for the help. It works after using client certificates. I am configured sentinel and using client certificates. I am getting the below error when I am trying to connect.
redis-cli -p 26379 --tls --cert /etc/redis/client_certificate.pem --key /etc/redis/client_key.pem --cacert /etc/redis/ca_certificate.pem -a password
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
--
Could not connect to Redis at 127.0.0.1:26379: SSL_connect failed: certificate verify failednot connected>If I am using the server certificates in the sentinel conf I am getting the below errors in the Redis log file
tail -f /data/logs/redis.log24914:M 29 Jul 2020 16:01:42.268 * DB loaded from disk: 0.000 seconds24914:M 29 Jul 2020 16:01:42.268 * Ready to accept connections24914:M 29 Jul 2020 16:10:29.482 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)24914:M 29 Jul 2020 16:10:29.482 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)24914:M 29 Jul 2020 16:10:30.560 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)24914:M 29 Jul 2020 16:10:30.560 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)I can see that sentinel port 26379 is listening on 0.0.0.0
netstat -pulntActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:26379 0.0.0.0:* LISTEN 25733/redis-sentinetcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 24914/redis-servertcp6 0 0 :::26379 :::* LISTEN 25733/redis-sentineNot sure of this error. Could you please help me to fix this.Thanks
You received this message because you are subscribed to a topic in the Google Groups "Redis DB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/redis-db/RxNuJX-d65A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/e3f86569-a607-4dd6-98bc-70de87825d4fo%40googlegroups.com.
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
On Aug 6, 2020, at 7:38 AM, Nandeep Mannava <mannava...@gmail.com> wrote:Hello Everyone,Can someone please suggest to me how I can achieve this..Thanks,Nandeep--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/47ece14d-3c57-4425-9191-49c9be239b0ao%40googlegroups.com.
On Aug 6, 2020, at 7:55 AM, Nandeep Mannava <mannava...@gmail.com> wrote:TLS encryption for both Client and the replication as well. When I tried adding a node with TLS enabled with replication. The data is not getting replicated. When I turned off TLS. The new node is able to join the cluster and the data is getting replicated which I am having downtime.
--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/6e5020a1-b1f4-401d-8d01-f0abd947dd70o%40googlegroups.com.
On Aug 20, 2020, at 9:48 AM, mannava...@gmail.com <mannava...@gmail.com> wrote:
Hello Everyone,I am getting an error when I enabled TLS on Redis 6.0.6. I am able to connect to redis-cli using the below commands```redis-cli --tls --cert /etc/redis/redis.crt --key /etc/redis/redis.key --cacert /etc/redis/ca.crtredis-cli -p 26379 --tls --cert /etc/redis/redis.crt --key /etc/redis/redis.key --cacert /etc/redis/ca.crt```But when I view the logs. I see the below errors..```Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=9)Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=10Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=12)```This is my configuration for Redis and Sentinel TLS.redis.conf```port 0tls-port 6379tls-cert-file "/etc/redis/redis.crt"tls-key-file "/etc/redis/redis.key"tls-ca-cert-file "/etc/redis/ca.crt"tls-auth-clients notls-replication yes```sentinel.conf```tls-port 26379tls-replication yestls-cert-file "/etc/redis/redis.crt"tls-key-file "/etc/redis/redis.key"tls-ca-cert-file "/etc/redis/ca.crt"port 0```Can someone help me if you faced the same kind of issue?Thanks,Nandeep
--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/84afebee-a35a-4042-8422-42e69ea86c60n%40googlegroups.com.
At the moment no client is connected to the servers. I just deployed 2 boxes with version 6.0.6 and configured TLS with the above config. I just viewed the logs and I am getting the above errors. And I created certs with the below commands.```openssl genrsa -out /etc/redis/ca.key 4096openssl req -x509 -new -sha512 -key /etc/redis/ca.key -days 3650 -subj '/O=Redis CN=Certificate Authority' -out /etc/redis/ca.crtopenssl genrsa -out /etc/redis/redis.key 4096openssl req -new -sha256 -key /etc/redis/redis.key -subj '/O=Redis CN=Server' | openssl x509 -req -sha256 -CA /etc/redis/ca.crt -CAkey /etc/redis/ca.key -CAserial ca.txt -CAcreateserial -days 1110 -out /etc/redis/redis.crt```I didn't specify the type attribute while creating certs.
Yes, I configured one node as a master and the other one as a replica.
Hello,Thanks for the help. It works after using client certificates. I am configured sentinel and using client certificates. I am getting the below error when I am trying to connect.
redis-cli -p 26379 --tls --cert /etc/redis/client_certificate.pem --key /etc/redis/client_key.pem --cacert /etc/redis/ca_certificate.pem -a password
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.