How do I connect to an AWS ElastiCache for Redis node (cluster mode enabled) with in-transit encryption?
Closed this issue · 6 comments
Hi,
I launched an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption on AWS.
How do I access it with redis-py-cluster?
Post its configuration:
Configuration Endpoint: clustercfg.qa-xxx-redis-in-transit.ezddv7.usw1.cache.amazonaws.com:6379
Engine: Clustered Redis
Engine Version Compatibility: 5.0.6
Encryption in-tranist: Yes
Encryption at-rest: No
I tried to use redis-py-cluster to connect to redis, but it looks like it is always in the pending state.
This time has lasted 3 minutes. Please see my screenshot.
Thanks!
Try passing ssl=Trueinto you client as in-transit encryption is just the AWS shitty name for SSL/TLS which makes no sense why they dont just name it as ssl or tls to make it much more clear -_-
@zibuyule The solution that was mentioned inside the linked ticket is the following
nevermind i found the answer
ssl_cert_reqs='none'
...
@zibuyule The root problem in your case is the top exception Unknown command "CONFIG" ..." that is your root problem and not the SSL parts. When you are running in AWS with elasticcahe there is a problem that AWS have configured redis to not be compatible with a clustered way of how we do node discovery. We check with each node if you have configured the option that you have set cluster-require-full-coverage` inside your redis-server config. But since we can't send CONFIG to the server you get this exception.
To solve this issue you send skip_full_coverage_check=True into your RedisCluster client instance and it will not send this config to the server for you.
@zibuyule I deleted your image there as it contained a bit to much information that could leak your full DNS addresses to your redis nodes in the cloud. They should not be disclosed as the part you blanked out was not good enough and i could almost guess myself or just brute force the blanked out part and possibly get some kind of access to your cloud instances. I hope you dont mind me doing this for you even if the information was public for about 5h or so. Please dont post that personal information in the future w/o masking all info and not just a small bit of private information.