I have set up elasticache with redis and the host is rechable which I can confirm with telnet, when Redis commands are issued it does not return any result, either with ubuntu#ip-10-0-2-8:~$ redis-cli -h master.xxxxxx-xxxx.xxxxx.xxxx.cache.amazonaws.com -p 6379 INFO or and very unfortunately AWS cant show you redis logs
The redis-cli client does not support SSL/TLS connections. To use the
redis-cli to access an ElastiCache for Redis node (cluster mode
disabled) with in-transit encryption, you can use the stunnel package
in your Linux-based clients. The stunnel command can create an SSL
tunnel to Redis nodes specified in the stunnel configuration. After
the tunnel is established, the redis-cli can be used to connect an
in-transit encryption enabled cluster node.
Source: https://aws.amazon.com/premiumsupport/
So you can either use stunnel or disabling in-transit encryption.
You need to add firewall rule to allow other machine to access your redis server. I meant you need to enable firewall rule to allow 6379 port accessible from outside. Following article will will help you to do this.
Also please make sure redis is running on port 6379 or some other port.
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/accessing-elasticache.html#access-from-outside-aws
Related
I have created a redis memcached database on https://app.redislabs.com/ and trying to connect to that using command line. I am using:
redis-cli -h <HOST> -p <PORT> -a <Password>
But it keeps returning:
Could not connect to Redis at <HOST:PORT>: Operation timed out
Do we need to do any additional configurations to connect to Redis cloud server?
This is the timeout error which means the redis instance is not reachable from your machine. Make sure the traffic is allowed from your machine to the redislab. In redislab you can define the network range for connectivity.
Also try to telnet to the port,telnet <HOST> <PORT> if its not connecting then its the connectivity issue only.
I'm trying to setup a redis cluster using redis 6.0.10 compiled with TLS support. This is part of config related to TLS and cluster :
port 0
tls-port 6390
tls-cert-file /usr/local/redis6/tls/redisTLS.pem
tls-key-file /usr/local/redis6/tls/redis.key
tls-ca-cert-file /usr/local/redis6/tls/redistlschain.crt
tls-replication yes
tls-cluster yes
tls-auth-clients no
cluster-enabled yes
also i'm using requirepass option. I have 3 nodes each has 2 instances. Each has similar config with the same certs and key.
When i try to create a cluster with following command:
/usr/local/redis6/bin/redis-cli --tls --cert /usr/local/redis6/tls/redisTLS.pem --key /usr/local/redis6/tls/redis.key --cacert /usr/local/redis6/tls/redistlschain.crt -a somepass -p 6390 --cluster create 10.1.22.11:6390 10.1.22.11:6391 10.1.22.12:6390 10.1.22.12:6391 10.1.22.13:6390 10.1.22.13:6391 --cluster-replicas 1
it stuck on connecting nodes. In the log files i see following errors:
Accepting cluster node connection from 10.1.22.11:41398
Error accepting cluster node connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
It seems like an issue with certificate but when i use those certificates with redis-cli utility or other redis clients they work successfully. I can connect to redis instance and execute commands.
So it's not clear what should be fixed with certificates setup.
Is it something wrong with server certificate ? Or i need a client certificate in addition?
I have an option tls-auth-clients set to "no" so expected that client certificate is not needed ( also docs mention this).
Also do i need to have different server certificate for each node or it's ok to have the same on all nodes?
Any help would be appreciated.
Thanks
I am using elastic cache single node shard redis 4.0 later version.
I enabled In-Transit Encryption and gave redis auth token.
I created one bastion host with stunnal using this link
https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/
I am able to connect to elastic cache redis node using following way
redis-cli -h hostname -p 6379 -a mypassword
and i can do telnet also.
BUT
when I ping (expected response "PONG") on redis-cli after connection it is giving
"Error: Connection reset by peer "
I checked security group of both side.
Any idea ?
Bastion Host ubuntu 16.04 machine
As I mentioned in question, I was running the command like this:
redis-cli -h hostname -p 6379 -a mypassword
The correct way to connect into a ElastiCache cluster through stunnel should be using "localhost" as the host address,like this:
redis-cli -h localhost -p 6379 -a mypassword
There is explanation for using the localhost address:
when you create a tunnel between your bastion server and the ElastiCache host through stunnel, the program will start a service that listen to a local TCP port (6379), encapsulate the communication using the SSL protocol and transfer the data between the local server and the remote host.
you need to start the stunnel, check if the service is listening on the localhost address (127.0.0.1), and connect using the "localhost" as the destination address: "
Start stunnel. (Make sure you have installed stunnel using this link https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/)
$ sudo stunnel /etc/stunnel/redis-cli.conf
Use the netstat command to confirm that the tunnels have started:
$ netstat -tulnp | grep -i stunnel
You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:
$redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
OK
localhost:6379>get foo
"bar"
Most probably ElastiCache Redis Instance is using Encryption in-transit and Encryption at-rest and by design, the Redis CLI is not compatible with the encryption.
You need to setup stunnel to connect redis cluster
https://datanextsolutions.com/blog/how-to-fix-redis-cli-error-connection-reset-by-peer/
"Error: Connection reset by peer" indicates that Redis is killing your connection without sending any response.
One possible cause is you are trying to connect to the Redis node without using SSL, as your connection will get rejected by the Redis server without a response [1]. Make sure you are connecting through the correct port in your tunnel proxy. If you are connecting directly from the bastion host, you should be using local host.
Another option is that you have incorrectly configured your stunnel to not include a version of SSL that is supported by Redis. You should double check the config file is exactly the same as the one provided in the support doc.
It that doesn't solve your problem, you can try to build the cli included in AWS open source contribution.[2] You'll need to check out the repository, follow the instructions in the readme, and then do make BUILD_SSL=yes make redis-cli.
[1] https://github.com/madolson/redis/blob/unstable/src/ssl.c#L464
[2] https://github.com/madolson/redis/blob/unstable/SSL_README.md
My Redis instance is running at 192.168.1.101.
Redis version is 4.0.1
I want to to be able to connect this Redis instance from 192.168.1.103, but I can't.
I type redis-cli -h 192.168.1.101 -p 6379 -a myredisPasswordisHere while I'm at 192.168.1.103
It returns
Could not connect to Redis at 192.168.1.101:6379: Connection refused
Could not connect to Redis at 192.168.1.101:6379: Connection refused
Here's the related part of the Redis.conf, it's located in /usr/local/etc/redis.conf. I've installed it via Homebrew.
TL;DR
protected-mode yes
bind 192.168.1.100 192.168.1.101 192.168.1.102 192.168.1.103 192.168.1.104
requirepass myredisPasswordisHere
What's wrong here?
For the redis service to be available for other remote hosts to query it, You need to bind it publicly to serve using bind 0.0.0.0
As the other comments from #Itamar and #Mark clearly mention, bind isn't the list of IP addresses that can connect but rather the interface on the local machine. Once the service is publicly available and running with 0.0.0.0 for your requirement of only allowing specific hosts, you need some kind of a firewall with a whitelist of IP addresses that can access this host which you can achieve with iptables.
I have 3 Servers with Redis and Sentinel Running.
All instances have in the configuration
requirepass XXX
masterauth XXX
I can connect with redis-cli to the redis server but if I try to connect to the sentinel I can not authenticate.
root#ip-:/usr/lib/nagios/plugins# redis-cli -p 26379
127.0.0.1:26379> AUTH xxx
(error) ERR unknown command 'AUTH'
127.0.0.1:26379>
If I use the same command but with the redis port it works.
Thanks
best
You have to setup auth for sentinels, too. I mean requirepass=<password> in sentinel.conf. More info on this here and here. Be careful, as not every client supports this setup.
Also, you need to set sentinel auth-pass <master-name> <password> in that file, in order for the sentinels to be able to administrate secured redis servers. (But I'm guessing you already did that).