TLS-Generater-key
TLS - Generate Server and Client Certificate
依步驟執行,產生下列檔案
-rw-rw-r-- 1 willhsu willhsu 936 二 25 11:54 ys_ca.crt
-rw------- 1 willhsu willhsu 227 二 25 11:51 ys_ca.key
-rw-rw-r-- 1 willhsu willhsu 41 三 6 17:54 ys_ca.srl
-rw-rw-r-- 1 willhsu willhsu 794 二 25 17:00 ys_client.crt
-rw-rw-r-- 1 willhsu willhsu 586 二 25 16:59 ys_client.csr
-rw------- 1 willhsu willhsu 227 二 25 16:58 ys_client.key
-rw-rw-r-- 1 willhsu willhsu 810 二 25 16:51 ys_server.crt
-rw-rw-r-- 1 willhsu willhsu 603 二 25 16:35 ys_server.csr
-rw------- 1 willhsu willhsu 227 二 25 16:21 ys_server.key
copy 下列檔案到 /var/lib/redis/
willhsu@ubuntu20:~/certificat_authority$
willhsu@ubuntu20:~/certificat_authority$ sudo cp ys_ca.crt ys_client.key ys_client.crt /var/lib/redis/
變更檔案權限
willhsu@ubuntu20:~/certificat_authority$ su
密碼:
root@ubuntu20:/home/willhsu/certificat_authority# cd /var/lib/redis/
root@ubuntu20:/var/lib/redis# ls -l
total 388
-rw-rw---- 1 redis redis 383142 三 7 10:47 dump.rdb
-rw-r--r-- 1 root root 936 三 7 10:47 ys_ca.crt
-rw-r--r-- 1 root root 794 三 7 10:47 ys_client.crt
-rw------- 1 root root 227 三 7 10:47 ys_client.key
root@ubuntu20:/var/lib/redis# chown redis:redis ys_c*
root@ubuntu20:/var/lib/redis# ls -l
total 388
-rw-rw---- 1 redis redis 383142 三 7 10:47 dump.rdb
-rw-r--r-- 1 redis redis 936 三 7 10:47 ys_ca.crt
-rw-r--r-- 1 redis redis 794 三 7 10:47 ys_client.crt
-rw------- 1 redis redis 227 三 7 10:47 ys_client.key
Edit redis.conf
root@ubuntu20:/etc/redis# cp redis.conf redis.conf.ori
root@ubuntu20:/etc/redis# nano redis.conf
root@ubuntu20:/etc/redis# diff redis.conf redis.conf.ori
75,76c75
< #bind 127.0.0.1 -::1
< bind 0.0.0.0
---
> bind 127.0.0.1 -::1
99c98
< #port 6379
---
> port 6379
145,146c144,145
< port 0
< tls-port 6379
---
> # port 0
> # tls-port 6379
159,161c158
< tls-cert-file "/var/lib/redis/ys_client.crt"
< tls-key-file "/var/lib/redis/ys_client.key"
< tls-ca-cert-file "/var/lib/redis/ys_ca.crt"
---
root@ubuntu20:/etc/redis# systemctl restart redis-server
測試TLS連線
willhsu@ubuntu20:~/certificat_authority$ redis-cli --tls --cert ys_client.crt --key ys_client.key --cacert ys_ca.crt ping
PONG
willhsu@ubuntu20:~/certificat_authority$ redis-cli ping
Error: Connection reset by peer
certificate(ys_client.crt)過期
root@ubuntu20:tail -f /var/log/redis/redis-server.log
1445292:M 06 Mar 2022 09:49:05.045 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.102 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.205 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.358 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.561 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.814 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:06.118 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
^C
willhsu@ubuntu20:~/certificat_authority$ redis-cli --tls --cert ys_client.crt --key ys_client.key --cacert ys_ca.crt
127.0.0.1:6379> info
Error: Server closed the connection