search

valkey-io / valkey

A new project to resume development on the formerly open-source Redis project. We're calling it Valkey, since it's a twist on the key-value datastore.
https://valkey.io
Other
14.64k stars 520 forks source link

[BUG] TLS Error on Valkey container with valkey-cli #703

Open Nakuromi opened 1 week ago

Nakuromi commented 1 week ago

Hi,

I've got an error that I don't understand and can't resolve :/ I don't know if this is a bug or if I don't do right configuration. When I try to connect with valkey-cli inside the valkey container server through a TLS connection, an error appears, whether with a custom certificate generated with openssl (autosigned and custom CA signed too) but also with self-generated certificates with gen-test-certs.sh utility. (test with image valkey.7.2.5 and valkey.7.2.5-alpine3.19)

The server log says : # Error accepting a client connection: error:0A000126:SSL routines::unexpected eof while reading (addr= laddr=127.0.0.1:26379)

According to my research, this type of error appears when the openssl version is < 3.0. My openssl is upper than 3.0 and I suspected that the Valkey image had an older openssl version but the file conf writes description in TLS section for differents available options if openssl version is < 3.0 or > 3.0, so I think the lib inside this image is good.

Have you any idea with my issue ? I can't install valkey in os and have to be using podman container. I hope TLS is already available with container image.

Thanks for reading my (bad ^^) english and have a good day Naku

podman run -v ~/test_valkey/conf:/usr/local/etc/valkey -p 36379:26379 --name valkey_01 -d valkey/valkey:7.2.5-alpine3.19 valkey-server /usr/local/etc/valkey/valkey.conf --save 60 1 --loglevel warning
$cat valkey.conf :
##### BIND IP ADDRESS
bind 127.0.0.1 -::1

##### USER ACL
user naku on +@all allkeys >1234

##### MEMORY
maxmemory 130mb

##### TLS CONF
port 0
tls-port 26379
tls-ca-cert-file /usr/local/etc/valkey/ca.crt
tls-key-file-pass 1234
tls-cert-file /usr/local/etc/valkey/server.crt
tls-key-file /usr/local/etc/valkey/server.key
tls-client-cert-file /usr/local/etc/valkey/client.crt
tls-client-key-file /usr/local/etc/valkey/client.key

tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"

[...]
hwware commented 1 week ago

Did you try with the native Valkey? If yes, is there same issue?

Nakuromi commented 1 week ago

Thanks for you reply. As I says, I can't try with native install, I have to use a podman container.

So after some time and thought, I'm adding certs & keys in container with --secret option and file type instead of just --volume shared. And I don't understand why, but it's working...

Even if the volume option is exactly the same result on the disk for file shared, it's working with --secret but not with --volume. I've configured uid and guid and these were right in both solutions and files were apparently sames. I'll explore this later in order to understand what is different and why secret option makes this working. Maybe I've not understand difference in the good way but for me, the --secret option is for security way and not result : file shared with both solution have to be samed.

Strange ^^

After that, the question is also, is it a bug with valkey image for container way or is this normal behavior ? And if this is normal behavior, maybe add explaination in TLS.md documentation ?

Thanks :)