How to enable tls/ ssl in Redis 6 docker library?

2023 update

If you just want a Docker container that has redis on it with SSL enabled here is what you need

Dockerfile

# https://www.appsloveworld.com/docker/100/19/how-to-set-up-a-docker-redis-container-with-ssl
# https://redis.io/docs/management/security/encryption/
# https://spin.atomicobject.com/2021/08/05/configuring-redis-tls/
# Plain redis-cli command will not work
# redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt

FROM redis:7 as base
RUN apt-get update && apt-get install openssl
USER redis
COPY --chown=redis:redis ./.docker/dev/redis/generate_certificates.sh ./
RUN chmod +x ./generate_certificates.sh
RUN ./generate_certificates.sh
CMD ["redis-server", "--tls-port", "6379", "--port", "0", "--tls-cert-file", "tests/tls/redis.crt", "--tls-key-file", "tests/tls/redis.key", "--tls-ca-cert-file", "tests/tls/ca.crt"]

The generate_certificates.sh file simply uses openssl to generate all the required crt and key files

generate_certificates.sh

#!/bin/bash

# https://github.com/redis/redis/blob/unstable/utils/gen-test-certs.sh
# Generate some test certificates which are used by the regression test suite:
#
#   tests/tls/ca.{crt,key}          Self signed CA certificate.
#   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tests/tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tests/tls/${name}.key
    local certfile=tests/tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req 
        -new -sha256 
        -subj "/O=Redis Test/CN=$cn" 
        -key $keyfile | 
        openssl x509 
            -req -sha256 
            -CA tests/tls/ca.crt 
            -CAkey tests/tls/ca.key 
            -CAserial tests/tls/ca.txt 
            -CAcreateserial 
            -days 365 
            $opts 
            -out $certfile
}

mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req 
    -x509 -new -nodes -sha256 
    -key tests/tls/ca.key 
    -days 3650 
    -subj '/O=Redis Test/CN=Certificate Authority' 
    -out tests/tls/ca.crt

cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048

To run it just do

docker build -t ssl_redis_image -f ...Dockerfile .
docker run -p 6379:6379 --name ssl_redis_container ssl_redis_image
docker exec -it ssl_redis_container sh

Once you are inside the shell of the redis container
you can try redis-cli and enter a simple command like

SET val 1

It ll immediately give you an error
You will need to run redis-cli with the certificates as

redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt

And try setting a value again and you should be able to get it to work now