CentOS Stream 8
Sponsored Link

Redis 6 : SSL/TLS Setting2021/06/28
 
Configure SSL/TLS Setting on Redis.
[1] Create self-signed certificate. If you use valid certificate like Let's Encrypt or others, skip this section.
[root@www ~]#
cd /etc/pki/tls/certs

[root@www certs]#
openssl req -x509 -nodes -newkey rsa:2048 -keyout redis.pem -out redis.pem -days 3650 

Generating a RSA private key
..+++++
.............+++++
writing new private key to 'redis.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP   # country code
State or Province Name (full name) []:Hiroshima    # State
Locality Name (eg, city) [Default City]:Hiroshima  # city
Organization Name (eg, company) [Default Company Ltd]:GTS  # company
Organizational Unit Name (eg, section) []:Server World     # department
Common Name (eg, your name or your server's hostname) []:www.srv.world  # server's FQDN
Email Address []:root@srv.world   # admin's email
[root@www certs]#
chmod 600 redis.pem

[root@www certs]#
chown redis. redis.pem

[2] Configure Redis.
[root@www ~]#
vi /etc/redis.conf
# line 91 : change : disable it with [0]

port
0
# line 138: uncomment

tls-port 6379
# line 144,145 : uncomment and specify certificate

tls-cert-file
/etc/pki/tls/certs/redis.pem

tls-key-file
/etc/pki/tls/certs/redis.pem
# line 156 : uncomment and parent directory of certs

tls-ca-cert-dir
/etc/pki/tls/certs

# line 165 : uncomment

tls-auth-clients no
[root@www ~]#
systemctl restart redis

[3] Connect to Redis with SSL/TLS from clients. If connect from other Hosts, it needs to transfer certificate to them.
[root@node01 ~]#
ll /etc/pki/tls/certs 

total 4
lrwxrwxrwx. 1 root  root    49 Jun 17 00:06 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root  root    55 Jun 17 00:06 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-------. 1 redis redis 3164 Jun 25 01:39 redis.pem

# specify [tls] option and certificate
[root@node01 ~]# redis-cli -h www.srv.world --tls \
--cert /etc/pki/tls/certs/redis.pem \
--key /etc/pki/tls/certs/redis.pem \
--cacert /etc/pki/tls/certs/redis.pem

www.srv.world:6379> auth password
OK
www.srv.world:6379> info
# Server
redis_version:6.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:aff2285c2ffdf166
redis_mode:standalone
os:Linux 4.18.0-310.el8.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:8.4.1
process_id:3804
run_id:38d1d7f3c1749bab861e1262b64e64aef6e918b0
tcp_port:6379
.....
.....
Matched Content