Redis [QUESTION] If option "--tls-auth-clients no" is working?

Hello, I really hope on your suggestion because I'm not sure what I'm doing wrong. Since previously my application connected to Redis (before v. 6) via TLS by creating stunnel it was only server TLS certificate connection. Currently to help customers with transfer to newer Redis version I'm developing a proof of concept for single TLS Redis and then Redis Sentinel SSL. Here what I've made for that: .env

CONTAINER=redis:7.2-rc1-alpine
EXPOSE_IP=<Host IP here>
MASTER_PORT=6380

docker-compose.yml

version: '3'

networks:
  redis-network:
    driver: bridge

volumes:
  tls:
    driver_opts:
      type: tmpfs
      device: tmpfs

services:
    redis_master:
        image: ${CONTAINER}
        container_name: redis-master
        networks: 
            - redis-network
        ports:
            - ${MASTER_PORT}:6379
        command: sh -c "
             echo \"Installing OpenSSL\"
             && apk add --update --no-cache openssl
             && echo \"Generating keys for all Redis instances\"
             && /gen-redis-certs.sh
             && redis-server 
             --bind 0.0.0.0
             --protected-mode no
             --requirepass 1234567890
             --tls-port 6379 --port 0
             --tls-cert-file /tls/redis.crt 
             --tls-key-file /tls/redis.key 
             --tls-ca-cert-file /tls/ca.crt
             --tls-auth-clients no
            "
        volumes:
          - tls:/tls
          - ./gen-redis-certs.sh:/gen-redis-certs.sh

gen-redis-certs.sh was taken from another example with little modification. (mentioned in file comments) gen-redis-certs.sh.zip As you can see I mentioned "--tls-auth-clients no" option in command line to let clients connect without client certificate (as I understand that) When Redis server is launched by command docker-compose -f docker-compose.yml up I'm running another shell in the same conatiner for redis-cli checks by docker exec -it redis-master /bin/sh Theoretically I should be able to connect to Redis-server by just redis-cli -a 1234567890 -h localhost -p 6379 --tls, but I'm getting an error "SSL_connect failed: certificate verify failed". Though I didn't want to use client.crt and key they are generated by gen-redis-certs.sh too and I'm able to successfully connet to Redis-server in the same shell by redis-cli -a 1234567890 -h localhost -p 6379 --tls --cert /tls/client.crt --key /tls/client.key --cacert /tls/ca.crt All experiments were done with multiple different versions with the same result (the latest 7.2-rc in my sample above). Could you please explain me what I'm doing wrong in my try to disable client certificate check and suggest a way to make that more accurate?

I've attached original docker-compose.yml.zip just in case format could be ruined in the post.

Thank you, Felix

Comment From: soloestoy

tls-auth-clients means client certificates are not required on server side, but client require verify server's certificates by default, you need append --insecure to redis-cli.