11

ElastiCache with encryption uses TLS to communicate with redis client, yet as I've seen redis clients in all languages (ioredis, predis, go-redis) require a pem file when configuring the client to us TLS.

How can I connect to Elasticache with in-transit encryption without given the ceritificate for the TLS?

Mark B
  • 139,343
  • 19
  • 240
  • 237
Nick Ginanto
  • 26,414
  • 39
  • 123
  • 214
  • I don't know anything about elasticache or redis, but somehow the client has to authenticate itself or anybody could connect to your elasticache instance. – President James K. Polk Dec 04 '17 at 16:37
  • It's limited with a security group with specific vpc subnets – Nick Ginanto Dec 04 '17 at 19:38
  • I too am having this issue. The documentation doesn't mention anything about a certificate for in-transit encryption... https://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/in-transit-encryption.html – hboylan Feb 09 '18 at 16:27
  • The answer is provided in the following link: https://stackoverflow.com/questions/51660056/connect-to-aws-elasticache-with-in-transit-encryption-auth-from-client-other-t – Jose Miguel Colella Oct 15 '18 at 00:15
  • @JoseMiguelColella its the same answer and I answered it in February – Nick Ginanto Oct 18 '18 at 17:20

2 Answers2

8

solution - no certificate is needed, just to enable TLS in the client (ioredis for example is just to have tls: {}

Nick Ginanto
  • 26,414
  • 39
  • 123
  • 214
  • 1
    Is this answer still valid for AWS ElasticCache with in-transit encryption enabled? I'm trying to connect to my cluster via a Ruby or NodeJS client (both ioredis and redis packages) and am constantly getting ECONNRESETs from the server. When I use stunnel with redis-cli everything connects and works fine though... – Lance Whatley Aug 02 '18 at 18:10
  • 1
    I used in-transit and in-rest. both worked. ioredis with blank tls worked out of the box. I also asked amazon support and thats what they said – Nick Ginanto Aug 03 '18 at 04:28
2

Here is my working demo code using Predis.

$servers = ['tls://master.my-test-redis.8juowe.euw2.cache.amazonaws.com:6379']; // your endpoint
$options = ['parameters' => ['password' =>   $password ]]; // put your password here
$redis   = new Predis\Client($servers, $options ); // Instance your client
Frank Liu
  • 101
  • 4