CentOS Stream 9
Sponsored Link

Redis 6 : SSL/TLS Setting2022/07/04
 
Configure SSL/TLS Setting on Redis.
[1] Create self-signed certificate. If you use valid certificate like Let's Encrypt or others, skip this section.
[root@dlp ~]#
cd /etc/pki/tls/certs

[root@dlp certs]#
openssl req -x509 -nodes -newkey rsa:2048 -keyout redis.pem -out redis.pem -days 3650 

Generating a RSA private key
..+++++
.............+++++
writing new private key to 'redis.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP                                    # country code
State or Province Name (full name) []:Hiroshima                         # State
Locality Name (eg, city) [Default City]:Hiroshima                       # city
Organization Name (eg, company) [Default Company Ltd]:GTS               # company
Organizational Unit Name (eg, section) []:Server World                  # department
Common Name (eg, your name or your server's hostname) []:dlp.srv.world  # server's FQDN
Email Address []:root@srv.world                                         # admin's email
[root@dlp certs]#
chmod 600 redis.pem

[root@dlp certs]#
chown redis. redis.pem

[2] Configure Redis.
[root@dlp ~]#
vi /etc/redis/redis.conf
# line 98 : change : disable it with [0]

port
0
# line 145: uncomment

tls-port 6379
# line 151, 152 : uncomment and specify certificate

tls-cert-file
/etc/pki/tls/certs/redis.pem

tls-key-file
/etc/pki/tls/certs/redis.pem
# line 187 : uncomment and parent directory of certs

tls-ca-cert-dir
/etc/pki/tls/certs

# line 196 : uncomment

tls-auth-clients no
[root@dlp ~]#
systemctl restart redis

[3] Connect to Redis with SSL/TLS from clients. If connect from other Hosts, it needs to transfer certificate to them.
[root@node01 ~]#
ll /etc/pki/tls/certs 

total 4
lrwxrwxrwx. 1 root  root    49 Nov 17  2021 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root  root    55 Nov 17  2021 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-------. 1 redis redis 3160 Jul  1 16:28 redis.pem

# specify [tls] option and certificate
[root@node01 ~]# redis-cli -h dlp.srv.world --tls \
--cert /etc/pki/tls/certs/redis.pem \
--key /etc/pki/tls/certs/redis.pem \
--cacert /etc/pki/tls/certs/redis.pem

dlp.srv.world:6379> auth password
OK
dlp.srv.world:6379> info
# Server
redis_version:6.2.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:ec192bdd77ecd321
redis_mode:standalone
os:Linux 5.14.0-115.el9.x86_64 x86_64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:11.3.1
process_id:1639
process_supervised:systemd
run_id:c104db2c6fe39ba6d401f3c092806db345dbe42e
tcp_port:6379
server_time_usec:1656660604309166
uptime_in_seconds:150
uptime_in_days:0
.....
.....
Matched Content