- Mais recentes
- Mais votos
- Mais comentários
Hello,
The insecure
flag on redis-cli skips the certificate validation, and allows the use of "untrusted" (or unrecognized) certificates to establish the TLS/SSL session.
Technically, data in-transit is encrypted, but you haven't confirmed if the remote peer is actually who it claims to be, hence it is considered insecure.
In your case, the docker container does not include the Amazon Root CA (Certificate Authority) used to sign Elasticache certificates.
This can be easily overcome by installing the ca-certificates package (package name valid on Debian, which is the base Operating System for Redis images).
As an example:
$ docker run -it --rm redis /bin/bash -c "apt-get update && apt-get install ca-certificates -y && redis-cli --verbose -h ***.cache.amazonaws.com --tls"
Verifying the package contents:
# dpkg -L ca-certificates | grep Amazon
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
You probably want to update or create a custom image including the ca-certificates package so you don't need to install it every time the container starts.
Conteúdo relevante
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
Thank you for the response. I thought there might be a configuration on the redis cluster so that I don't have to do additional certificate installation, because I didn't have to use
--insecure
on a different redis cluster.