Menu
On my Ruby on Rails app, I keep getting the error below for the Heroku Redis Premium 0 add-on:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
Heroku Redis documentation mentions that I need to enable TLS in my Redis client's configuration in order to connect to a Redis 6 database. To achive this, I have read SSL/TLS Support documentation on redis-rb. My understanding from it is; I need to assign ca_file, cert and key for Redis.new#ssl_params. The question is how to set these for Redis or through Sidekiq on Heroku?
Update 3: Heroku support provided an answer which solved the problem.
Update 2: Created Heroku support ticket and waiting response.
Update 1: Asked on Sidekiq's Github issues and was adviced go write Heroku support. Will update this question, when I do get an answer.
I have verified the app does work when the add-on is either one of the below:
Versions:
Some links that helped me to narrow down the issue:
870
To enable only TLS on the default Redis port, use: By default, Redis uses mutual TLS and requires clients to authenticate with a valid certificate (authenticated against trusted root CAs specified by ca-cert-file or ca-cert-dir ). You may use tls-auth-clients no to disable client authentication.
You will also need to add the sidekiq gem to the project to work with Sidekiq and Redis. Open the project’s Gemfile for editing, using nano or your favorite editor: Add the gem anywhere in the main project dependencies (above development dependencies): . . .
Sidekiq is one of the more widely used background job frameworks that you can implement in a Rails application. It is backed by Redis, an in-memory key-value store known for its flexibility and performance. Sidekiq uses Redis as a job management store to process thousands of jobs per second.
Install Sidekiq by adding the gem to your Gemfile. Sidekiq has only one dependency, and that’s Redis. If you are using a Mac, you can install Redis using Homebrew: Create a new job in app/jobs to process jobs asynchronously: You can invoke this job as MyJob.perform_async (args). Start the Sidekiq process with bundle exec sidekiq.
Use OpenSSL::SSL::VERIFY_NONE for your Redis client.
# config/initializers/sidekiq.rb
Sidekiq.configure_server do |config|
config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end
Sidekiq.configure_client do |config|
config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end
Redis.new(url: 'url', driver: :ruby, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
Redis 6 requires TLS to connect. However, Heroku support explained that they manage requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.
Sources
116
If you use ActionCable, you may also need to add verify_mode to the `cable.yml config:
production:
adapter: redis
url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
channel_prefix: my_app_production
ssl_params:
verify_mode: <%= OpenSSL::SSL::VERIFY_NONE %>
Source: https://github.com/chatwoot/chatwoot/issues/2420
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
