Connect to AWS ElastiCache with In-Transit Encryption + Auth from client other than redis-cli+stunnel

Question

I'm trying to use a Ruby redis client and either one of two NodeJS clients (node_redis or ioredis) to connect to an Amazon ElastiCache cluster with in-transit encryption and auth enabled and am having issues. For all three clients, as soon as I connect I get an ECONNRESET error thrown immediately and over and over again when connection retries occur.

I have followed the AWS docs and am able to successfully connect via redis-cli using stunnel, but haven't been able to connect with any other client so far.

From looking at this SO answer, it appears there is no certificate required and we simply need to pass empty options to the TLS config (if applicable), but no matter what I enter I'm unsuccessful. I've also tried passing the default stunnel stunnel.pem private key as the cert in all clients just in case, and it obviously doesn't work either. Any assistance or expertise from others who have used ElastiCache would be helpful!

Answer 1

I ran into a similar problem, but instead of ECONNRESET I was getting a timeout. For me, there were a few problems that had to be ironed out

• The lambda needs VPC permissions.
• The ElastiCache security group needs an inbound rule from the Lambda security group that allows communication on the Redis port. I thought they could just be in the same security group.
• Because encryption in-transit was turned on, I needed to pass redis.RedisClient(... ssl=True). The redis-py page mentions that ssl_cert_reqs needs to be set to None for use with ElastiCache similar to what was answered, but that didn't seem to be true in my case. I think AWS has updated the ElastiCache certs to have the proper hostname. I did however need to pass ssl=True.

It makes sense that ssl=True needed to be set but the connection was just timing out so I went round and round trying to figure out what the problem with the permissions/VPC/SG setup was.

Answer 2

For both clients the default TLS behavior is to verify the server certificate, which we needed to disable. The solution for both clients is as follows:

NodeJS client:

const redis = require('redis')
const client = redis.createClient({host: hostOrIp, port: 6379, auth_pass: 'thePassword', tls: { checkServerIdentity: () => undefined }})

Ruby client:

require "redis"
redis = Redis.new(url: connectionString, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })