Hello, I created a 3-node Redis server (running 7.0.11) with replication and sentinel which works. However, when I enable TLS on the system following instructions the nodes can no longer connect to the master anymore.
I did confirm the ports are open between servers, there is no firewall blocking. Could this be an issue where the replication is trying to use the non-TLS port?
Server: Ubuntu 20.04 (latest patches)
Logs on a replica show:
3335:S 21 Jun 2023 18:18:05.045 * Reconnecting to MASTER 10.xx.xx.xx:6379 after failure
3335:S 21 Jun 2023 18:18:05.045 * MASTER ↔ REPLICA sync started
3335:S 21 Jun 2023 18:19:06.189 # Timeout connecting to the MASTER…
3335:S 21 Jun 2023 18:19:06.189 * Reconnecting to MASTER 10.xx.xx.xx:6379 after failure
also I see this:
4874:S 21 Jun 2023 19:42:21.617 - Client closed connection id=14 addr=10.xx.xx.xx:60608 laddr=10.252.128.175:6379 fd=11 name= age=15 idle=15 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=283 qbuf-free=20191 argv-mem=0 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=22272 events=r cmd=NULL user=default redir=-1 resp=2
4874:S 21 Jun 2023 19:42:21.617 - Client closed connection id=15 addr=10.xx.xx.xx:60618 laddr=10.252.128.175:6379 fd=12 name= age=15 idle=15 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=283 qbuf-free=20191 argv-mem=0 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=22272 events=r cmd=NULL user=default redir=-1 resp=2
TLS configuration in redis.conf
tls-port 16379
tls-replication yes
tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
tls-ca-cert-dir "/opt/redis-ssl"
tls-cert-file "/opt/redis-ssl/redis-sentinel.pem"
tls-key-file "/opt/redis-ssl/redis-sentinel.pem"
tls-ca-cert-file "/opt/redis-ssl/redis-sentinel.pem"
tls-session-cache-timeout 60
Here is the config for sentinel:
tls-port 36379
tls-replication yes
tls-ca-cert-dir "/opt/redis-ssl"
tls-cert-file "/opt/redis-ssl/redis-sentinel.pem"
tls-key-file "/opt/redis-ssl/redis-sentinel.pem"
tls-ca-cert-file "/opt/redis-ssl/redis-sentinel.pem"