Setup Redis TLS With Self-signed Certificate
This method is only recommended when connecting to redis server via local network.
🔗Generate Server Certificates
Generate Cert and Key file for self signed TLS, then move both these files to redis directory and set the proper permissions. Delete the Key file and copy the cert file to the client machine which will connect to the redis-server.
cd ~
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout redis_tls.key -out redis_tls.crt \
-subj "/CN=YourOrg"
sudo cp redis_tls.key redis_tls.crt /etc/redis/ && rm redis_tls.key
sudo chmod 600 /etc/redis/redis_tls.key
sudo chmod 644 /etc/redis/redis_tls.crt
sudo chown redis:redis /etc/redis/redis_tls.key
sudo chown redis:redis /etc/redis/redis_tls.crt
🔗Update Redis Configuration File
This command will append the value to redis.conf (redis configuration file). Make sure to update the password.
It will disable the non-tls support and enable the tls connection at port 6379 with previously generated key and cert files.
sudo tee -a /etc/redis/redis.conf << EOF
bind * -::*
port 0
tls-port 6379
tls-cert-file /etc/redis/redis_tls.crt
tls-key-file /etc/redis/redis_tls.key
tls-auth-clients no
tls-prefer-server-ciphers yes
requirepass YOUR_PASSWORD_HERE
EOF
Restart and enable redis
sudo systemctl restart redis-server
sudo systemctl enable redis-server
Check status with
sudo systemctl status redis-server
If any error then check journal (log)
sudo journalctl -u redis-server -f
🔗Add Redis Certificate to Trusted CA Store in Client Machine
# Copy your certificate to CA certificates directory
sudo mv redis_tls.crt /usr/local/share/ca-certificates/redis_tls.crt
# Update CA certificates
sudo update-ca-certificates
🔗Redis Connection URL
Since we want to connect to redis using TLS connection, so the protocol in the url will be rediss (with double “ss”).
rediss://:<your_password_here>@<redis_server_ip>:6379/0#insecure