Fedora 41
Sponsored Link

Valkey : SSL/TLS Setting2024/11/15
 

Configure SSL/TLS Setting on Valkey.

[1] Create self-signed certificate. If you use valid certificate like Let's Encrypt or others, skip this section.
[root@dlp ~]#
cd /etc/pki/tls/certs

[root@dlp certs]#
openssl req -x509 -nodes -newkey rsa:2048 -keyout valkey.pem -out valkey.pem -days 3650 

Generating a RSA private key
..+++++
.............+++++
writing new private key to 'valkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP                                    # country code
State or Province Name (full name) []:Hiroshima                         # State
Locality Name (eg, city) [Default City]:Hiroshima                       # city
Organization Name (eg, company) [Default Company Ltd]:GTS               # company
Organizational Unit Name (eg, section) []:Server World                  # department
Common Name (eg, your name or your server's hostname) []:dlp.srv.world  # server's FQDN
Email Address []:root@srv.world                                         # admin's email
[root@dlp certs]#
chmod 600 valkey.pem

[root@dlp certs]#
chown valkey:valkey valkey.pem

[2] Configure Valkey.
[root@dlp ~]#
vi /etc/valkey/valkey.conf
# line 139 : change : disable it with [0]

port
0
# line 194: uncomment

tls-port 6379
# line 200, 201 : uncomment and specify certificate

tls-cert-file
/etc/pki/tls/certs/valkey.pem

tls-key-file
/etc/pki/tls/certs/valkey.pem
# line 245 : uncomment

tls-auth-clients no
[root@dlp ~]#
systemctl restart valkey

[3] Connect to Valkey with SSL/TLS from clients. If connect from other Hosts, it needs to transfer certificate to them.
[root@node01 ~]#
ll /etc/pki/tls/certs 

total 4
lrwxrwxrwx. 1 root   root     49 Sep 23 09:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root   root     55 Sep 23 09:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-------. 1 valkey valkey 3160 Nov 15 09:55 valkey.pem

# specify [tls] option and certificate
[root@node01 ~]# valkey-cli -h dlp.srv.world --tls \
--cert /etc/pki/tls/certs/valkey.pem \
--key /etc/pki/tls/certs/valkey.pem \
--cacert /etc/pki/tls/certs/valkey.pem

dlp.srv.world:6379> auth password
OK
dlp.srv.world:6379> info
# Server
redis_version:7.2.4
server_name:valkey
valkey_version:8.0.1
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:480577b1fe2c407e
server_mode:standalone
os:Linux 6.11.5-300.fc41.x86_64 x86_64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
gcc_version:14.2.1
process_id:1561
process_supervised:systemd
run_id:7200b4d0f9f0b4bd156101e63f6111127e18fe3e
tcp_port:6379
.....
.....
Matched Content