ioBroker.js-controller icon indicating copy to clipboard operation
ioBroker.js-controller copied to clipboard

Published 20 hours ago verified publisher icon ioBroker

[enhancement]: enable Redis TLS connection

Open pandorra2 opened this issue 1 year ago • 2 comments

No existing issues.

  • [x] There is no existing issue for my request.

Description

(shortened, was previously discussed on discord)

Redis seems to support TLS (only) connection meanwhile, see https://github.com/redis/ioredis#tls-options

Also seems like ioBroker is basically able to do so also, but some details yet missing as iob setup custom fails

Docker log: Error accepting a client connection: error:0A00010B:SSL routines::wrong version number (addr=172.24.0.1:52566 laddr=172.24.0.2:6379)

ioBroker log: The DB port 6379 is occupied by something that is not a Redis protocol server. Please check other software running on this port or, if you use iobroker, make sure to update to js-controller 2.0 or higher!

Basic config example for Redis:

port 0 tls-port 6379 tls-cert-file /var/ssl/server.crt tls-key-file /var/ssl/server.key tls-ca-cert-file /var/ssl/CA.crt tls-protocols "TLSv1.3"

Why?

Encrypted communication also with objects/states database

How?

https://github.com/redis/ioredis https://ioredis.readthedocs.io/en/stable/README/#tls-options

pandorra2 avatar Dec 17 '23 16:12 pandorra2

I guess, we would need to provide an config option to specify the path to the certificate.

How have you specified the connection to the secure server in ioBroker? Have you used the rediss:// prefix in front of the host?

foxriver76 avatar Dec 18 '23 12:12 foxriver76

To be honest I've tried nothing but having Redis running with TLS and iob setup custom.

MarcBerg gave it a try with this.settings.connection.options.tls={rejectUnauthorized: false}; param in objects/statesInRedisClient.js. Seems to work but as Apollon77 referered that'd just disable certificate checks at all.

Regarding rediss:// I've just tried:

Host / Unix Socket of states DB (redis), default[127.0.0.1]:

With (Redis TLS active) both regular IP and host errors with

The DB port 6379 is occupied by something that is not a Redis protocol server. Please check other software running on this port or, if you use iobroker, make sure to update to js-controller 2.0 or higher!

With rediss:// prefix both just can't connect

New Database could not be connected. Please check your settings. No settings have been changed.

I'd guess setup just can't/doesn't handle the prefix

pandorra2 avatar Dec 18 '23 12:12 pandorra2

@pandorra2 For testing if this is the correct approach to solve it.

Can you try to add to your /opt/iobroker/iobroker-data/iobroker.json under key objects or states (or both if you use redis for both) a new key tls with structure:

"tls": {
  "ca": "content of your ca.crt"
}

Does connection work then?

foxriver76 avatar May 02 '24 07:05 foxriver76