Redis [BUG] Sentinel returning master ip instead of hostname which is failing in case of TLS

Return master Hostname instead of ip

When we request a master address to sentinel it's returning IP instead of HOSTNAME so the backend node js client is trying to connect with IP and server returning error saying IP doesn't match the certificate

My config is below with 3 Redis processes(1master 2 slaves) on different ports on the same server. And 3 sentinels as same Note: I have proper SSL certs and host IP and DNS names mapped.

Redis.conf

port 0
tls-port 6379
tls-cluster yes
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
tls-cert-file /data/certs/cert.pem
tls-key-file /data/certs/key.pem
tls-ca-cert-file /data/certs/ca.pem
tls-replication yes
tls-auth-clients yes
replicaof testredis1.test.com

Sentinel.conf

port 0
tls-port 26379
tls-protocols "TLSv1.2"
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
tls-cert-file "/data/certs/cert.pem"
tls-key-file "/data/certs/key.pem"
tls-ca-cert-file "/data/certs/ca.pem"
tls-auth-clients yes
tls-replication yes

sentinel monitor RedisMaster 127.0.0.1 6379 2
sentinel down-after-milliseconds RedisMaster 5000

ERROR: error: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list: +5ms [ioredis] Unhandled error event: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list: at Object.checkServerIdentity (tls.js:250:17) at TLSSocket.onConnectSecure (_tls_wrap.js:1098:27) at TLSSocket.emit (events.js:198:13)

To reproduce

Basic Redis sentinel setup with TLS and connect using node js client
Expected behavior

Sentinel should return the hostname of the master so node js client can connect using the domain names

Comment From: oranagra

@sivanagireddyb can you please add a bit more details, and maybe an example showing the problem to avoid confusion?

Comment From: sivanagireddyb

@oranagra Added detailed description

Comment From: yossigo

@sivanagireddyb Sentinel currently has other issues (such as #7758) when hostnames are used instead of IPs, so those will have to be resolved before addressing this particular issue.

Until then, the best option is to disable matching of hostname to certificate name. As long as your Certificate Authority is a private one, the security implications of this should be minor.

Comment From: mvasi90

The replica instance acts as client. Where is the client certificate and key? The conf file is changed by the sentinel instance at any time. This means that the same conf file acts as server and client.

Redis uses the server key and certificate to connect to the server that uses the same key and certificate? pfff... I think the redis push is hasty. It should be only local commits until a feature is fully functional.

This way you avoid people wasting time on something that doesn't work.

Comment From: yossigo

@mvasi90 I think stating this doesn't work is very inaccurate.

You are right that currently there is no way to configure a different cert/key for Redis as as client. In many (most?) cases that's not an issue, but could become a problem depending on the configuration of the certificates (e.g. if key usage attributes are specified, etc.).

Additional configuration for separate certificates could be useful, and so could many other TLS and non-TLS related enhancements. Software development is an incremental effort and holding back everything until it's 100% perfect is rarely an option. If you feel something is broken or missing you're welcome to file an issue describing your finding or ideas.

BTW all of this of course has nothing to do with the problem described in this issue which involves Sentinel advertising services by their IPs and not hostnames.

Comment From: mvasi90

I'm using a Public Key Infrastructure with subordinate CAs and a client certificate acts as a client certificate, while a server certificate acts as a server certificate. I don't know what concept of security you have.

If you feel something is broken or missing you're welcome to file an issue describing your finding or ideas.

Of course, I wish I could do that but I'm very busy. When I appear "in public" saying something, it is because it is wrong.

BTW all of this of course has nothing to do with the problem described in this issue which involves Sentinel advertising services by their IPs and not hostnames.

You are right, it is another issue. But it is related with TLS.

Comment From: yossigo

This issue has been addressed by #8282. Note that hostnames are not supported by default though, specific configuration is required to enable this.