TLS-Generater-key

TLS - Generate Server and Client Certificate

依步驟執行,產生下列檔案

-rw-rw-r-- 1 willhsu willhsu 936  二  25 11:54 ys_ca.crt
-rw------- 1 willhsu willhsu 227  二  25 11:51 ys_ca.key
-rw-rw-r-- 1 willhsu willhsu  41  三   6 17:54 ys_ca.srl
-rw-rw-r-- 1 willhsu willhsu 794  二  25 17:00 ys_client.crt
-rw-rw-r-- 1 willhsu willhsu 586  二  25 16:59 ys_client.csr
-rw------- 1 willhsu willhsu 227  二  25 16:58 ys_client.key
-rw-rw-r-- 1 willhsu willhsu 810  二  25 16:51 ys_server.crt
-rw-rw-r-- 1 willhsu willhsu 603  二  25 16:35 ys_server.csr
-rw------- 1 willhsu willhsu 227  二  25 16:21 ys_server.key

copy 下列檔案到 /var/lib/redis/

willhsu@ubuntu20:~/certificat_authority$
willhsu@ubuntu20:~/certificat_authority$ sudo cp ys_ca.crt ys_client.key ys_client.crt /var/lib/redis/

變更檔案權限

willhsu@ubuntu20:~/certificat_authority$ su
密碼:
root@ubuntu20:/home/willhsu/certificat_authority# cd /var/lib/redis/
root@ubuntu20:/var/lib/redis# ls -l
total 388
-rw-rw---- 1 redis redis 383142  三   7 10:47 dump.rdb
-rw-r--r-- 1 root  root     936  三   7 10:47 ys_ca.crt
-rw-r--r-- 1 root  root     794  三   7 10:47 ys_client.crt
-rw------- 1 root  root     227  三   7 10:47 ys_client.key
root@ubuntu20:/var/lib/redis# chown redis:redis ys_c*
root@ubuntu20:/var/lib/redis# ls -l
total 388
-rw-rw---- 1 redis redis 383142  三   7 10:47 dump.rdb
-rw-r--r-- 1 redis redis    936  三   7 10:47 ys_ca.crt
-rw-r--r-- 1 redis redis    794  三   7 10:47 ys_client.crt
-rw------- 1 redis redis    227  三   7 10:47 ys_client.key

Edit redis.conf

root@ubuntu20:/etc/redis# cp redis.conf redis.conf.ori
root@ubuntu20:/etc/redis# nano redis.conf
root@ubuntu20:/etc/redis# diff redis.conf redis.conf.ori
75,76c75

< #bind 127.0.0.1 -::1
< bind 0.0.0.0
---
> bind 127.0.0.1 -::1
99c98
< #port 6379
---
> port 6379
145,146c144,145
<  port 0
<  tls-port 6379
---
> # port 0
> # tls-port 6379
159,161c158
< tls-cert-file "/var/lib/redis/ys_client.crt"
< tls-key-file "/var/lib/redis/ys_client.key"
< tls-ca-cert-file "/var/lib/redis/ys_ca.crt"
---
root@ubuntu20:/etc/redis# systemctl restart redis-server

測試TLS連線

willhsu@ubuntu20:~/certificat_authority$ redis-cli --tls --cert ys_client.crt --key ys_client.key --cacert ys_ca.crt ping
PONG

willhsu@ubuntu20:~/certificat_authority$ redis-cli ping
Error: Connection reset by peer

certificate(ys_client.crt)過期

root@ubuntu20:tail -f /var/log/redis/redis-server.log
1445292:M 06 Mar 2022 09:49:05.045 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.102 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.205 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.358 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.561 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:05.814 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
1445292:M 06 Mar 2022 09:49:06.118 # Error accepting a client connection: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
^C
willhsu@ubuntu20:~/certificat_authority$ redis-cli --tls --cert ys_client.crt --key ys_client.key --cacert ys_ca.crt
127.0.0.1:6379> info
Error: Server closed the connection