Describe the bug
Using redis-cli with inline authentication via -u uri, if adding the flag --tls, the Terminal returns "AUTH failed".
To reproduce
redis-cli --tls -u redis://admin:some_password@some_host:some_port
Here is the error returned:
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Warning: AUTH failed
This is wrong. As without using -u uri switch, everything works fine. For example:
redis-cli -h some_host -p some_port --tls
AUTH admin some_password
then we can do PING command successfully.
Expected behavior
One can use -u uri with --tls without any problem.
Additional information
I'm using OVH Redis managed database. Not absolutely sure if the issue is due to OVH implementation or Redis bug.
Redis version:
- Server side: 6.2.
- Client side: 6.0.16
Client OS:
lsb_release -a
# No LSB modules are available.
# Distributor ID: Ubuntu
# Description: Ubuntu 22.04 LTS
# Release: 22.04
# Codename: jammy
Comment From: ThachNgocTran
A work-around could be:
redis-cli -h some_host -p some_port --user admin --pass some_pass --tls
Nevertheless, it is still a bug.
Comment From: oranagra
@ThachNgocTran i think the fact you use redis:// after the --tls means it overrides the TLS flag.
you should either use rediss:// or put the --tls after the -u.
Comment From: ThachNgocTran
@oranagra Thanks for the response.
If I use:
redis-cli -u rediss://admin:some_pass@rsome_host:some_port
I got (when doing the PING command):
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Warning: AUTH failed
some_host:some_port> ping
(error) NOAUTH Authentication required.
Alternatively, if I use:
redis-cli -u redis://admin:some_pass@some_host:some_port --tls
I got:
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Warning: AUTH failed
some_host:some_port> ping
(error) NOAUTH Authentication required.
Summarily, your suggestion doesn't seem to work. Thanks anyway. :)
Comment From: ranshid
@ThachNgocTran - I cannot seem to be able to reproduce this issue on both unstable and the latest 6.2 (6.2.7 e6f6709) - can you maybe check on which OSS commit the OVH Redis is based on?
Comment From: ThachNgocTran
@ranshid The Redis implementation from OVH can be read here: https://docs.ovh.com/de/publiccloud/databases/redis/capabilities/
It's a managed Redis so many features are not available, e.g. CONFIG, MIGRATE.
Comment From: BSVogler
Cannot reproduce on OVH instance as well. I suspect some ACL issue or some user error.
@ThachNgocTran Please double check your commands and the config.
Comment From: ThachNgocTran
The firewall (on Ubuntu) was already disabled.
sudo ufw status verbose
# Status: inactive
Commands below still don't work:
redis-cli -u redis://admin:some_pass@some_host:20185 --tls
redis-cli -u rediss://admin:some_pass@some_host:20185 --tls
# Error: Warning: AUTH failed
BTW:
redis-cli --version
# redis-cli 6.0.16
Comment From: cpressland
I'm also seeing this with Azure Redis:
$ redis-cli -u $(kubectl get secret azure-redis -o go-template='{{.data.url_primary|base64decode}}')
AUTH failed: WRONGPASS invalid username-password pair
host.redis.cache.windows.net:6380>
In this case .data.url_primary is in the following format: rediss://:<password>@<host>.redis.cache.windows.net:6380/0
If I run the command as:
$ redis-cli --tls \
-a $(kubectl get secret azure-redis -o go-template='{{.data.access_key_primary|base64decode}}') \
-h $(kubectl get secret azure-redis -o go-template='{{.data.host|base64decode}}') \
-p $(kubectl get secret azure-redis -o go-template='{{.data.port|base64decode}}')
host.redis.cache.windows.net:6380>
Everything works as expected. The above connection string works fine in redis-py, so I don't think the format is incorrect.
Comment From: meowfishorg
I recently have the same problem using a version of 6. (redis-cli). The problem was solved after updating to 7.. Might not be your case, but...