I'm running Redis v6.0.5 with TLS. I can successfully connect over TLS with client authentication enabled as long as I configure the trusted certificate in redis.conf using the tls-ca-cert-file directive. For example,
tls-ca-cert-file /etc/pki/tls/trusted/ca.crt
However, if I switch this to using the tls-ca-cert-dir directive, then authentication fails. Here's how I specify the directory in redis.conf:
tls-ca-cert-dir /etc/pki/tls/trusted
Here's the error I get in the server log when I try to connect:
Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Am I doing something wrong or is this a bug?
Comment From: yossigo
@banker You need to make sure the CA certificate you use has been installed properly.
Details may differ between Linux distros but typically it involves placing the file with a .crt name extension in /usr/local/share/ca-certificates and running update-ca-certificates.
Comment From: banker
@yossigo Verified that this works. Apparently when using tls-ca-cert-dir, you can't just throw the .crt file into any old directory. It seems that you need to point to the official directory containing the trusted certs and that, as you said, these need to be installed properly.
At least on Ubuntu 20.04, that means:
- Copying your cert to
/usr/local/share/ca-certificates/ - Running
update-ca-certificates - Verifying that a symlink for the certificate has been generated in
/etc/ssl/certs
Once I do that, I can specify /etc/ssl/certs as the argument to tls-ca-cert-dir, and TLS with mutual auth works correctly.
Comment From: slushpuppy
^^ for those who may also have issues, ensure that the crt files are system wide readable as well in the /usr/local/share/ca-certificates/ directory:
i.e. chmod 0777 /usr/local/share/ca-certificates/*.crt