I have Redis 7.2.1 on ubuntu machine and trying to form a TLS cluster of 6 nodes with below tls related configuration on each node -
port 0 tls-port 6377 tls-cert-file /usr/redis-tls/RootCA/redis0-cert.pem tls-key-file /usr/redis-tls/RootCA/redis0.key tls-key-file-pass test123 tls-ca-cert-file /usr/redis-tls/RootCA/ca-chain.cert.pem tls-auth-clients no tls-replication yes tls-cluster yes tls-protocols "TLSv1.2 TLSv1.3"
The server cert has chain as Root CA -> Intermediate CA -> Server cert . The ca cert file in above configuration is basically a bundle of intermedia and root CA. And I am sure that my certificates are fine as same certificate with single or standalone Redis instance works perfectly fine.
When I fire cluster create command with TLS enabled redis-cli , it just hungs in "Waiting for the cluster to join" and logs says -
Error accepting cluster node connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed.
So the question here is , All my redis nodes config file has set tls-auth-clients no .then why cluster creation tried to verify client certificate? Anything I am missing anything on configuration ?
Comment From: zuiderkwast
tls-auth-clients is for clients only. It is not used for cluster nodes connecting to each other. For that, there is always mutual authentication.
Why? My guess is that for clients, Redis can require the AUTH command to authenticate instead of a client certificate, but for cluster nodes, client certificate is the only way to authenticate. Without authentication, TLS is not very secure.