Re: Hello I am trying to enable TLS for Redis cluster with 6.0.5 on Centos 7

[a mrpre]

your client can not verify server's certificate. you can post your server's certificate here. 

or using openssl cmd `openssl x509 -in XXX.pem -text `

'SSL Server' may be missed in your certificate's extension.

在 2020年7月21日星期二 UTC+8下午9:08:37，Nandeep Mannava写道：

Hello,

I am trying to enable TLS for the Redis cluster on Centos 7 with version 6.0.5. I am able to bring the Redis service up and running but when I tried to connect to redis-cli. I am not able to. I attached my config file and below is the error I am getting

redis-cli --tls --cert /etc/redis/server_certificate.pem --key /etc/redis/server_key.pem --cacert /etc/redis/ca_certificate.pem -a test

Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.

Could not connect to Redis at 127.0.0.1:6379: SSL_connect failed: sslv3 alert unsupported certificate

not connected>

Can someone please help me to get this fixed.

Thanks,

Nandeep

[Itamar Haber]

Hi Nandeep,

Please share with us your redis.conf file(s) and the dump of the certificates.

Cheers,

Itamar

On Tuesday, July 28, 2020 at 4:13:22 PM UTC+3 mannava...@gmail.com wrote:

Hello,

Can Someone please help me.

Thanks,

Nandeep

[Yossi Gottlieb]

Looks like you use the server cert on the redis-cli (client) side. While the certificate is valid, it was issued with key usage/cert type attributes that indicate it is a server side certificate and the default OpenSSL configuration enforces and rejects such certs. Try using the client certificate on the client side - it should work.

On Tuesday, July 28, 2020 at 9:41:05 PM UTC+3 mannava...@gmail.com wrote:

Hello Itamar,

Please find the Redis.conf file and all the Self-signed certs which I am using for testing this feature. I generated the certs using the following..

git clone https://github.com/michaelklishin/tls-gen tls-gen && cd tls-gen/basic
make PASSWORD="" CN="" DAYS_OF_VALIDITY=1825 NUMBER_OF_PRIVATE_KEY_BITS=4096
cd result && openssl dhparam -out dhparam.pem 4096 && sudo mv *.pem /etc/redis

Thanks,

[Yossi Gottlieb]

You will need to use "tls-replication yes" to let Sentinel know it needs to establish TLS with Redis.

Note that if you're using replication you may run into problems with the certificates you've created, because a replica will attempt to use the same certificate both as a client and a server and you'll basically run into the original problem once again.

I suggest creating certificates that don't have key usage extensions. You can take a look at the utils/gen-test-certs.sh script as an example of how to create such certs with OpenSSL.

On Wed, Jul 29, 2020 at 7:26 PM Nandeep Mannava <mannava...@gmail.com> wrote:

Hello,

Thanks for the help. It works after using client certificates. I am configured sentinel and using client certificates. I am getting the below error when I am trying to connect.

redis-cli -p 26379 --tls --cert /etc/redis/client_certificate.pem --key /etc/redis/client_key.pem --cacert /etc/redis/ca_certificate.pem -a password

Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.

Could not connect to Redis at 127.0.0.1:26379: SSL_connect failed: certificate verify failed

not connected>

If I am using the server certificates in the sentinel conf I am getting the below errors in the Redis log file

tail -f /data/logs/redis.log

24914:M 29 Jul 2020 16:01:42.268 * DB loaded from disk: 0.000 seconds

24914:M 29 Jul 2020 16:01:42.268 * Ready to accept connections

24914:M 29 Jul 2020 16:10:29.482 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)

24914:M 29 Jul 2020 16:10:29.482 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)

24914:M 29 Jul 2020 16:10:30.560 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)

24914:M 29 Jul 2020 16:10:30.560 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7)

I can see that sentinel port 26379 is listening on  0.0.0.0

netstat -pulnt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:26379           0.0.0.0:*               LISTEN      25733/redis-sentine

tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      24914/redis-server

tcp6       0      0 :::26379                :::*                    LISTEN      25733/redis-sentine

Not sure of this error. Could you please help me to fix this.

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Redis DB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/redis-db/RxNuJX-d65A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/e3f86569-a607-4dd6-98bc-70de87825d4fo%40googlegroups.com.

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

[Benjamin Sergeant]

I would start by upgrading redis to 6.0.x.

I would 'detach' the 2 replicas, then upgrade then. Then failover the master to one of the replicas, so that the master can be upgraded.

for the tls change it will be harder. do you want the redis client connection to be encrypted with tls, or just the replication ?

On Aug 6, 2020, at 7:38 AM, Nandeep Mannava <mannava...@gmail.com> wrote:

Hello Everyone,

Can someone please suggest to me how I can achieve this..

Thanks,

Nandeep

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/47ece14d-3c57-4425-9191-49c9be239b0ao%40googlegroups.com.

[Benjamin Sergeant]

Have you already upgraded to 6.x ?

You should fix things one step at a time in my opinion.

On Aug 6, 2020, at 7:55 AM, Nandeep Mannava <mannava...@gmail.com> wrote:

TLS encryption for both Client and the replication as well. When I tried adding a node with TLS enabled with replication. The data is not getting replicated. When I turned off TLS. The new node is able to join the cluster and the data is getting replicated which I am having downtime.

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/6e5020a1-b1f4-401d-8d01-f0abd947dd70o%40googlegroups.com.

[Benjamin Sergeant]

You might be using the same key for client and server.

Quoting Yoss answer in this thread:

"""

Looks like you use the server cert on the redis-cli (client) side. While the certificate is valid, it was issued with key usage/cert type attributes that indicate it is a server side certificate and the default OpenSSL configuration enforces and rejects such certs. Try using the client certificate on the client side - it should work.

"""

On Aug 20, 2020, at 9:48 AM, mannava...@gmail.com <mannava...@gmail.com> wrote:

Hello Everyone,

I am getting an error when I enabled TLS on Redis 6.0.6. I am able to connect to redis-cli using the below commands

```redis-cli --tls --cert /etc/redis/redis.crt --key /etc/redis/redis.key --cacert /etc/redis/ca.crt

redis-cli -p 26379 --tls --cert /etc/redis/redis.crt --key /etc/redis/redis.key --cacert /etc/redis/ca.crt``` 

But when I view the logs. I see the below errors..

```Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=9)

Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=10

Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=12)```

This is my configuration for Redis and Sentinel TLS.

redis.conf

```port 0

tls-port 6379

tls-cert-file "/etc/redis/redis.crt"

tls-key-file "/etc/redis/redis.key"

tls-ca-cert-file "/etc/redis/ca.crt"

tls-auth-clients no

tls-replication yes```

sentinel.conf

```tls-port 26379

tls-replication yes

tls-cert-file "/etc/redis/redis.crt"

tls-key-file "/etc/redis/redis.key"

tls-ca-cert-file "/etc/redis/ca.crt"

port 0```

Can someone help me if you faced the same kind of issue?

Thanks,

Nandeep

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/84afebee-a35a-4042-8422-42e69ea86c60n%40googlegroups.com.

[Greg Andrews]

Did you configure one of the two servers to connect to the other one as a replica?

On Thursday, August 20, 2020 at 10:17:46 AM UTC-7, mannava...@gmail.com wrote:

At the moment no client is connected to the servers. I just deployed 2 boxes with version 6.0.6 and configured TLS with the above config. I just viewed the logs and I am getting the above errors. And I created certs with the below commands.

```

openssl genrsa -out /etc/redis/ca.key 4096

openssl req -x509 -new -sha512 -key /etc/redis/ca.key -days 3650 -subj '/O=Redis CN=Certificate Authority' -out /etc/redis/ca.crt

openssl genrsa -out /etc/redis/redis.key 4096

openssl req -new -sha256 -key /etc/redis/redis.key -subj '/O=Redis CN=Server' | openssl x509 -req -sha256 -CA /etc/redis/ca.crt -CAkey /etc/redis/ca.key -CAserial ca.txt -CAcreateserial -days 1110 -out /etc/redis/redis.crt

```

I didn't specify the type attribute while creating certs.

[Greg Andrews]

It looks to me like the log entries are the master logging how the replica is trying to make a connection, but failing.  Since the connections fails in the TLS phase (very early in the procedure), the master doesn't yet know it's a replica, and uses the word "client" in the log entry.

On Friday, August 21, 2020 at 6:08:30 AM UTC-7, mannava...@gmail.com wrote:

Yes, I configured one node as a master and the other one as a replica. 

[Anil Kumar]

which all TLS versions have you applied ?

If applying tls-protocols "TLSv1.2"

We can set these ciphers too:

tls-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Thanks

Anil

On Wednesday, 29 July 2020 at 21:56:12 UTC+5:30 Nandeep Mannava wrote:

Hello,

Thanks for the help. It works after using client certificates. I am configured sentinel and using client certificates. I am getting the below error when I am trying to connect.

redis-cli -p 26379 --tls --cert /etc/redis/client_certificate.pem --key /etc/redis/client_key.pem --cacert /etc/redis/ca_certificate.pem -a password

Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.