skip to Main Content

I’m following this tutorial, and adjusting the Celery-background related code to my project.

In my case I am operating in a Docker environment, and I have a secured site (i.e. https://localhost) which requires secured ssl communication.

The documentation in here shows an example on how to provide cert related files (keyfile, certfile, ca_certs).
But it is not clear to me how to create these files in the first place.

The tutorial in here shows how to create a custom certificate authority, and how to sign a certificate with it.
I followed the steps and created the 3 files:

  • keyfile – dev.mergebot.com.crt – the signed certificate (signed by myCA.pem)
  • ca_certs – dev.mergebot.com.key – private key to create a signed cert with “self-trusted CA”
  • certfile – myCA.pem – “self-trusted CA” certificate (filename in the tutorial: myCA.pem)

Note that I created these 3 files completely unrelated to Celery or Redis or Docker.
They were created in my local machine outside Docker. The files don’t have the name of the Redis container and the Common Name in the cert was set to “foo”

When I use these files in my webapp, there is no connection from Celery to Redis.
Without ssl I do get a connection, so the overall environment aside from ssl is OK – see here

Is there any specific requirements to create the cert related files? (e.g. should the Common Name in the cert have the container name “redis”, etc… )

Is there a way to test the validity of the certs without the app, e.g. by issuing a command from the container shell?

Thanks

2

Answers


  1. Chosen as BEST ANSWER

    I was able to generate the cert related files (keyfile, certfile, ca_certs) using the tutorial in here

    I first tested that I can connect from my localhost to the "redis with ssl" docker container. and I described the details here

    Then I tested that I can connect from Celery docker container to the "redis with ssl" docker container and I described the details here


  2. Yes the certificate comman name should match the host name also the issuer of the certificate should be trusted by the client .

    In your case since you are using a custom CA and generating the certs , the public cert of the CA should be in the trusted root of the client .

    Additionally the certificate should be issued to the hostname in your case it will be localhost . Please do note that if you access the site from a remote machine by either using the fqdn or the Up the browser will flag an alert as invalid.

    Also to verify the certificates , you can use the OpenSSL Verify option.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search