go-redis icon indicating copy to clipboard operation
go-redis copied to clipboard

Published 20 hours ago verified publisher icon redis

Redis mtls failing

Open Nitesh-vaidyanath opened this issue 2 years ago • 0 comments

Expected Behavior

Getting error when trying to connect to redis cluster using golang "github.com/go-redis/redis/v9" client. I am able to successfully connect using redis-cli and python with mTLS client certificate, whereas it is failing from golang.

Current Behavior

I am using self signed certs on server and rootcacert consists on certificate chain .

Error log:

redis: 2022/09/26 15:36:37 cluster.go:1580: getting command info: remote error: tls: unknown certificate authority redis: 2022/09/26 15:36:38 cluster.go:1580: getting command info: remote error: tls: unknown certificate authority

Possible Solution

Not sure

Steps to Reproduce

server redis_version:6.2.6

remote error: tls: unknown certificate authority

func RedisCluster() (*redis.ClusterClient, error) {
    var rediscluster redisCluster
    // read redis cluster information
    rootCAs, _ := x509.SystemCertPool()
    fmt.Println(rootCAs)
    if rootCAs == nil {
        rootCAs = x509.NewCertPool()
    }
    redisConfig, err := configmap.Load("/etc/config/redisClusterConfig.json")
    if err != nil {
        return nil, err
    }
    if err := json.Unmarshal([]byte(redisConfig["redisClusterConfig.json"]), &rediscluster); err != nil {
        return nil, err
    }
    // read redis password, root crt, client crt and client key
    rootcacert, err := ioutil.ReadFile("/etc/secret/resolver-redis-ca-cert")
    if err != nil {
        return nil, err
    }
    redisClusterPassword, err := configmap.Load("/etc/secret/resolver-redis-cluster-password") // returns map[string]string
    if err != nil {
        return nil, err
    }
    rootCAs.AppendCertsFromPEM(rootcacert)
    // read client cert and key pair
    clientKeyPair, err := tls.LoadX509KeyPair("/etc/secret/resolver-redis-client-cert", "/etc/secret/resolver-redis-client-key")
    if err != nil {
        return nil, err
    }
    // fmt.Println(rootCAs)
    // fmt.Printf("%+v\n", clientKeyPair)
    redisOpts := redis.ClusterOptions{
        Addrs: rediscluster.Addrs,
        TLSConfig: &tls.Config{
            RootCAs:      rootCAs,
            Certificates: []tls.Certificate{clientKeyPair},
        },
        // Username: rediscluster.Username,
        Password: redisClusterPassword["resolver-redis-cluster-password"],
    }
    rdb := redis.NewClusterClient(&redisOpts)
    return rdb, nil

Context (Environment)

All environment

Detailed Description

I tried recreating self signed certs but still it is failing from golang redis client.

Server side error

20127:M 26 Sep 2022 22:04:14.722 # Error accepting a client connection (10.5.2.4): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Nitesh-vaidyanath avatar Sep 27 '22 05:09 Nitesh-vaidyanath