Redis 6 TLS and Sentinel

34 views
Skip to first unread message

WifiGi

unread,
Apr 16, 2020, 1:45:02 PM4/16/20
to Redis DB
I would like to set up a basic 3-node Sentinel setup using the new TLS features of Redis 6. Unfortunately, it doesn't seem like Redis 6 Sentinel is smart enough to speak TLS to clients.

Does anyone know of a way to do this, or if it's not possible, if there are any plans to add support for this in the future? It seems a shame to have these nice TLS features and not be able to use them with Redis' own tools.

My setup:
3 Redis servers (6.0-rc, last pulled yesterday), running TLS with the test certs
3 Sentinels (6.0-rc, also last pulled yesterday), not running TLS on their ports (I would like to, but that's a secondary problem)

What I've Tried:
1. Pointing Sentinel to the Redis TLS port - this results in lots of TLS errors, as Sentinel is not speaking TLS to Redis. Since it fails, Sentinel thinks the master is down.

2. Adding TLS options to Sentinel - this results in Sentinel trying to talk TLS on its ports, but not to clients, which doesn't help. I couldn't find any options specifically about making Sentinel speak TLS to clients.

3. Pointing Sentinel to the Redis not-TLS port (not ideal, I would rather only have the TLS port open) - this results in Sentinel reporting the wrong (not-TLS) port for the master to the simple Python client I'm testing with (it literally just tries to get master info from Sentinel) - I want the client to talk to Redis over TLS for obvious reasons

4. Adding the "replica-announce-port" directive to Redis with Sentinel still pointed to the not-TLS port - this fails in 2 ways: the master port is still reported incorrectly as the not-TLS port (seems to be because the master is not a replica and so the directive does not apply), and Sentinel now thinks the replicas are both down (because the TLS port is reported, replicas are auto discovered, and it can't speak to the replicas on the TLS port).

Any tips appreciated!

Abdullah Al Shaad

unread,
Sep 1, 2022, 7:37:08 AMSep 1
to Redis DB
Any workaround for this? Is it possible to configure Redis with TLS and Sentinel without TLS ?
Reply all
Reply to author
Forward
0 new messages