centrifugo icon indicating copy to clipboard operation
centrifugo copied to clipboard

Published 20 hours ago verified publisher icon centrifugal

[question] How to configure own `ca.crt`?

Open powerman opened this issue 3 years ago • 2 comments

We're using own CA to sign TLS certificates for all our internal services (this includes both our backend API and 3rd-party services like Redis).

How to configure our ca.crt needed to validating Redis certificate when using redis engine?

powerman avatar Dec 30 '21 14:12 powerman

Hello! Centrifugo currently does not have an option to control this.

Though, according to Go docs:

On Unix systems other than macOS the environment variables SSL_CERT_FILE and SSL_CERT_DIR can be used to override the system default locations for the SSL certificate file and SSL certificate files directory, respectively. The latter can be a colon-separated list.

I've never tried this myself – maybe you can experiment with those? Can be a workaround until options to set custom CA file appear in Centrifugo.

FZambia avatar Dec 30 '21 18:12 FZambia

Thanks! SSL_CERT_FILE works (at least there are no more errors related to checking Redis cert on start).

powerman avatar Dec 30 '21 18:12 powerman

Hello,

i tried with ssl_cert_file but still get error like below error dialing to Redis error="x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SAN does ur SSL_CERT_FILE have both IP address and DNS or just one of them ?

chakrapani123 avatar Sep 26 '22 19:09 chakrapani123

i tried with ssl_cert_file but still get error like below error dialing to Redis error="x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SAN does ur SSL_CERT_FILE have both IP address and DNS or just one of them ?

Seems we also need to support TLSConfig.ServerName to fix x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SAN

FZambia avatar Dec 02 '22 18:12 FZambia

so if we pass just IP Addresses will it work ? or this is a feature enhancement that will be added a later point?

chakrapani123 avatar Dec 02 '22 18:12 chakrapani123

Hello, thanks for making those updates. i was able to connect by adding these flags to config file

"redis_tls_server_name" : <Common name of the cert>, "redis_tls_root_ca" : <Root cert of CA with cert chain part of it>, "redis_tls": "true",

chakrapani123 avatar Dec 07 '22 19:12 chakrapani123

Most probably v4.1.0 with these changes will be released tomorrow.

FZambia avatar Dec 12 '22 18:12 FZambia

Unfortunately, had to delay v4.1.0 for some time – found some issues with it to improve.

FZambia avatar Dec 14 '22 12:12 FZambia

thanks for the update . really appreciate it. does this release take care of helm chart upgrades as well?

chakrapani123 avatar Dec 14 '22 14:12 chakrapani123

does this release take care of helm chart upgrades as well?

Helm chart for Centrifugo v4.0.5 was also released - https://github.com/centrifugal/helm-charts/releases/tag/centrifugo-9.0.8, you can whether update app version in existing helm chart or update helm chart to 9.0.8. Maybe I did not understand the question. (But v4.0.5 still does not include TLS changes from here - unfortunately hard to backport)

FZambia avatar Dec 14 '22 17:12 FZambia

Now it's released and part of Centrifugo v4.1.0

FZambia avatar Dec 19 '22 18:12 FZambia