Redis Client Verify fails because Redis does not read the full certificate file.

I am attempting to use redis-server 6.0.3 with TLS built for my project. I attempted to use my LetsEncrypt fullchain.pem file for this. In order to actually use this file, I need a new configuration option, tls-cert-is-chained. When this option is set, Redis should read the certificate as a certificate chain file.

Current logic:

    if (SSL_CTX_use_certificate_file(ctx, ctx_config->cert_file, SSL_FILETYPE_PEM) <= 0) {

Fixed logic:

    int ret = -1;
    if (ctx_config->cert_is_chained)
        ret = SSL_CTX_use_certificate_chain_file(ctx, ctx_config->cert_file);
    else
        ret = SSL_CTX_use_certificate_file(ctx, ctx_config->cert_file, SSL_FILETYPE_PEM);
    if (ret <= 0) {

I could look into creating a pull request for this, if needed. The only parts I am not certain about at the moment is regarding the configurations.

Cheers, Kevin

Comment From: vosscodes

I ran into this and can confirm this fixed my issue with chained certs.

@kevin-fwu good find! are you planning to PR this?

Comment From: kevin-fwu

@vosscodes Yeah, sure. Shouldn’t be much to it.

Comment From: vosscodes

a one line change is all that's needed:

if (SSL_CTX_use_certificate_chain_file(ctx, ctx_config->cert_file) <= 0) {

this is recommended by openssl, and I've tested it with both chained certs + the test certs generated by /utils/gen-test-certs.sh. for ref, redis-cli is already doing this: https://github.com/antirez/redis/blob/unstable/src/redis-cli.c#L804

Comment From: devansvd

can confirm this issue ondocker redis-apline:6.0.3 SSL_connect failed: certificate verify failed for let's encrypt certificate with ca.

if tried to disable tls-auth-clients no server won't start without ca - Either tls-ca-cert-file or tls-ca-cert-dir must be configured!.

Also, it is not respecting tls-auth-clients no. Always throws verification failed.

Comment From: yossigo

The tls-auth-clients issue is fixed by #7457.