skip to Main Content

I would like to set up a basic 3-node Redis Sentinel setup using the new TLS features of Redis 6. Unfortunately, it doesn’t seem like Redis 6 Sentinel is smart enough to speak TLS to clients.

Does anyone know of a way to do this, or if it’s not possible, if there are any mentions online about adding support for this in the future? It seems a shame to have these nice TLS features and not be able to use them with Redis’ own tools.
I am aware that in the past people have used Stunnel to do this. With TLS support added to Redis, I am only interested in doing this if it can be done without third party addtions.

My setup:
3 Redis servers (6.0-rc, last pulled last week), running TLS with the test certs as specified in the Redis docs – one master and 2 replicas
3 Sentinels (6.0-rc, also last pulled last week), not running TLS on their ports (I would like to, but that’s a secondary problem)

What I’ve Tried:

  1. Pointing Sentinel to the Redis TLS port – this results in lots of TLS errors in Redis’ logs about incorrect TLS version received, as Sentinel is not speaking TLS to Redis. Since it fails, Sentinel thinks the master is down.

  2. Adding “https://” in the Sentinel config in front of the master IP – this results in Sentinel refusing to run, saying it can’t find the master hostname.

  3. Adding TLS options to Sentinel – this results in Sentinel trying to talk TLS on its ports, but not to clients, which doesn’t help. I couldn’t find any options specifically about making Sentinel speak TLS to clients.

  4. Pointing Sentinel to the Redis not-TLS port (not ideal, I would rather only have the TLS port open) – this results in Sentinel reporting the wrong (not-TLS) port for the master to the simple Python client I’m testing with (it literally just tries to get master info from Sentinel) – I want the client to talk to Redis over TLS for obvious reasons

  5. Adding the “replica-announce-port” directive to Redis with Sentinel still pointed to the not-TLS port – this fails in 2 ways: the master port is still reported incorrectly as the not-TLS port (seems to be because the master is not a replica and so the directive does not apply), and Sentinel now thinks the replicas are both down (because the TLS port is reported, replicas are auto discovered, and it can’t speak to the replicas on the TLS port).

I am aware of this StackOverflow question (Redis Sentinel and TLS) – it is old and asks about Redis 4, so it’s not the same.

2

Answers


  1. Chosen as BEST ANSWER

    I did figure this out and forgot to post the answer earlier: The piece I was missing was that I needed to set the tls-replication yes option on both the Redis and Sentinel servers.

    Previously, I had only set it on the Redis servers, as they were the only ones that needed to do replication over TLS. But for some reason, that particular option is what is needed to actually make Sentinel speak TLS to Redis.

    So overall, for TLS options, both sides of the equation needed:

    tls-port <port>
    port 0
    tls-auth-clients yes
    tls-ca-cert-file <file>
    tls-key-file <file>
    tls-cert-file <file>
    tls-replication yes
    

  2. Try to add tls-port option to the sentinel.conf as it seems to enable TLS support in general and the same is stated in documentation. For me the below two statements added to sentinel.conf on a top of the rest of TLS configuration actually made the trick.

    tls-port 26379

    port 0

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search