I'm trying to use a Ruby redis client and either one of two NodeJS clients (node_redis or ioredis) to connect to an Amazon ElastiCache cluster with in-transit encryption and auth enabled and am having issues. For all three clients, as soon as I connect I get an ECONNRESET error thrown immediately and over and over again when connection retries occur.
I have followed the AWS docs and am able to successfully connect via redis-cli using stunnel, but haven't been able to connect with any other client so far.
From looking at this SO answer, it appears there is no certificate required and we simply need to pass empty options to the TLS config (if applicable), but no matter what I enter I'm unsuccessful. I've also tried passing the default stunnel stunnel.pem
private key as the cert in all clients just in case, and it obviously doesn't work either. Any assistance or expertise from others who have used ElastiCache would be helpful!
Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/ . From the navigation pane, choose Redis clusters. The clusters screen will appear with a list of Redis (cluster mode disabled) and Redis (cluster mode enabled) clusters.
I ran into a similar problem, but instead of ECONNRESET I was getting a timeout. For me, there were a few problems that had to be ironed out
redis.RedisClient(... ssl=True)
. The redis-py page mentions that ssl_cert_reqs
needs to be set to None
for use with ElastiCache similar to what was answered, but that didn't seem to be true in my case. I think AWS has updated the ElastiCache certs to have the proper hostname. I did however need to pass ssl=True
.It makes sense that ssl=True
needed to be set but the connection was just timing out so I went round and round trying to figure out what the problem with the permissions/VPC/SG setup was.
For both clients the default TLS behavior is to verify the server certificate, which we needed to disable. The solution for both clients is as follows:
NodeJS client:
const redis = require('redis')
const client = redis.createClient({host: hostOrIp, port: 6379, auth_pass: 'thePassword', tls: { checkServerIdentity: () => undefined }})
Ruby client:
require "redis"
redis = Redis.new(url: connectionString, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With