Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Connect to AWS ElastiCache with In-Transit Encryption + Auth from client other than redis-cli+stunnel

I'm trying to use a Ruby redis client and either one of two NodeJS clients (node_redis or ioredis) to connect to an Amazon ElastiCache cluster with in-transit encryption and auth enabled and am having issues. For all three clients, as soon as I connect I get an ECONNRESET error thrown immediately and over and over again when connection retries occur.

I have followed the AWS docs and am able to successfully connect via redis-cli using stunnel, but haven't been able to connect with any other client so far.

From looking at this SO answer, it appears there is no certificate required and we simply need to pass empty options to the TLS config (if applicable), but no matter what I enter I'm unsuccessful. I've also tried passing the default stunnel stunnel.pem private key as the cert in all clients just in case, and it obviously doesn't work either. Any assistance or expertise from others who have used ElastiCache would be helpful!

like image 242
Lance Whatley Avatar asked Aug 02 '18 18:08

Lance Whatley


People also ask

How do I connect to AWS ElastiCache?

Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/ . From the navigation pane, choose Redis clusters. The clusters screen will appear with a list of Redis (cluster mode disabled) and Redis (cluster mode enabled) clusters.


2 Answers

I ran into a similar problem, but instead of ECONNRESET I was getting a timeout. For me, there were a few problems that had to be ironed out

  • The lambda needs VPC permissions.
  • The ElastiCache security group needs an inbound rule from the Lambda security group that allows communication on the Redis port. I thought they could just be in the same security group.
  • Because encryption in-transit was turned on, I needed to pass redis.RedisClient(... ssl=True). The redis-py page mentions that ssl_cert_reqs needs to be set to None for use with ElastiCache similar to what was answered, but that didn't seem to be true in my case. I think AWS has updated the ElastiCache certs to have the proper hostname. I did however need to pass ssl=True.

It makes sense that ssl=True needed to be set but the connection was just timing out so I went round and round trying to figure out what the problem with the permissions/VPC/SG setup was.

like image 126
feus4177 Avatar answered Oct 05 '22 08:10

feus4177


For both clients the default TLS behavior is to verify the server certificate, which we needed to disable. The solution for both clients is as follows:

NodeJS client:

const redis = require('redis')
const client = redis.createClient({host: hostOrIp, port: 6379, auth_pass: 'thePassword', tls: { checkServerIdentity: () => undefined }})

Ruby client:

require "redis"
redis = Redis.new(url: connectionString, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
like image 37
Lance Whatley Avatar answered Oct 05 '22 08:10

Lance Whatley