I have a master with below tls configuration port 0 tls-port 6379 tls-cert-file /path/to/redis.crt tls-key-file /path/to/redis.key tls-ca-cert-file /path/to/ca.crt tls-auth-clients no
I connect to redis-master using "redis-cli --tls"
After this, I tried to set up a replica with the below tls configuration port 0 tls-port 6379 tls-cert-file /path/to/redis.crt tls-key-file /path/to/redis.key tls-ca-cert-file /path/to/ca.crt tls-auth-clients no tls-replication yes
Considering a replica is a client and tls-auth-clients is no why the master is trying to verify the certs here? I did not set up any client certs in replica to use for tls-replication. How can we enable TLS connection between the replica and master without certificate validation or client authentication at the master end?
Comment From: yossigo
@Nareshgg It should work - are you sure it's the master failing client authentication, and not the client failing to authenticate the master's cert? Please post some logs.
Comment From: Nareshgg
@yossigo yes replica failing to start a sync with master
if I keep the tls-replication no
7853:S 02 Dec 2022 17:50:28.430 * MASTER <-> REPLICA sync started 7853:S 02 Dec 2022 17:50:28.431 * Non blocking connect for SYNC fired the event. 7853:S 02 Dec 2022 17:50:28.431 # Error reply to PING from master: '-Reading from master: Connection reset by peer' (I understand this is expected because i enabled TLS for Master)
If i keey the tls-replication yes
5947:S 02 Dec 2022 17:42:13.994 * MASTER <-> REPLICA sync started 5947:S 02 Dec 2022 17:42:13.996 # Error condition on socket for SYNC: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
This is where the problem is, I don't want to pass any certs from the client or replica to get validated by the master as I disabled client authentication at master.
This means, are we enforcing the replica to go through client authentication at master end to start the sync with the TLS-enabled master?
Comment From: yossigo
@Nareshgg No, as you stated above the replica is just another client, so if you set tls-auth-clients no the replica is not required to present a valid certificate.
The failure you see is the replica not being able to verify the master's certificate, probably because it's issuer is not listed in the tls-ca-cert-file file on the replica side.
Comment From: Nareshgg
@yossigo yes you're right about the replica not being able to verify the master's certificate. It worked after adding master's ca in 'tls-ca-cert-file' file on the replica side. However, during this time I was seeing these errors on the master's side which actually misled me
22961:M 03 Dec 2022 12:22:05.282 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (conn: fd=7) 22961:M 03 Dec 2022 12:22:06.290 # Error accepting a client connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Comment From: yossigo
@Nareshgg Typically, these errors indicate a non-TLS client established a connection.
Comment From: ganeshkumarganesan
The failure you see is the replica not being able to verify the master's certificate, probably because it's issuer is not listed in the tls-ca-cert-file file on the replica side.
@yossigo - I'd want to get some clarification on this. Assume we have dynamically generated self-signed certificates (ca.crt, server.crt, server.key) in master and replica (both are runing in standalone mode), each with a separate ca.key. The "tls-auth-clients" property is set to "no" in both master and replica. In such situation, I am experiencing the following problem.
Master :
20491:M 01 Aug 2023 13:10:15.832 # Error accepting a client connection: error:0A000418:SSL routines::tlsv1 alert unknown ca
Slave :
30019:S 01 Aug 2023 13:10:37.945 # Error condition on socket for SYNC: error:0A000086:SSL routines::certificate verify failed
Is this expected behaviour?
If we used the same ca.key for the self-signed certificates generation of master and replica. Replication is working fine.
Do we have to maintain the ca.key at our end? or Is there any other way to configure replication between master and replica with certificates generated from different ca.key?
Please let me know if you need any clarifications. Thanks.
Comment From: ganeshkumarganesan
Hi @yossigo Did you get a chance to look into this?
Comment From: yossigo
@ganeshkumarganesan This is expected. The certificate presented by the master (server) needs to be signed, directly or indirectly, by the CA certificate that is configured on the replica (the client). This has nothing to do with tls-auth-clients, which determines if the server (master in this case) needs to authenticate its clients.