SSL dial in cluster mode dose not work about redisc HOT 4 CLOSED

returned some error:
x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANsx509

I think it is basically I am using Azure redis where they use NAT instead of different IP, so if we do not have port infor, it fails? but why it works in redigo case?

Thanks
Rui

from redisc.

As mentioned in #13, this is a connection configuration issue. redisc does not deal with connections - at all - it does not even import the net package (https://godoc.org/github.com/mna/redisc?imports). It uses redigo to make connections (redis.Dial) and the CreatePool function that the caller sets on the Cluster struct (which, typically, end up calling redis.Dial from redigo).

That being said, my guess (and that's all it is as I don't have much details) is that redigo "works fine" because you pass the Azure "load balancer" address with the correct TLS config, while in redisc, it will try to connect to specific internal nodes as returned by CLUSTER NODES - which is normal for a redis cluster client. You need to figure out how to properly connect to those nodes - as I said, I've never used Azure. Keep in mind that those nodes need to be accessible from the server where your app will run. If that app is inside the VPN (as I'd assume it would be?), possibly you don't need SSL there, this is just to protect against calls from the outside. But I'm not a security expert and again - I know nothing about how Azure works.

Martin

from redisc.

You posted the second comment while I was posting my reply, but while my above comment stands, this error is very likely because your certificate is for some host name (the load balancer address), and when you send it along for connections to specific IP addresses, the certificate verification fails (because it was not emitted for that IP address e.g. you try to connect to 123.45.67.89, but certificate is for redis.azure.what.ev). If you do need to use SSL for internal nodes, then adding the skip verify for the internal nodes is indeed required (or at least one way to make it work). This is unrelated to redisc (or redigo, for that matter), as mentioned above.

from redisc.

You can use:

	dialOptions = append(dialOptions, redis.DialTLSConfig(&tls.Config{
		ServerName: "yourredisname.redis.cache.windows.net",
	}))

to change tls configuration ServerName.

The problem is that the X509 certificate issued by Microsoft has a wildcard "*.redis.cache.windows.net" but for a redis cluster you connect to the IP of a node and those IPs are not enlisted in the SANs (they cannot be, especially if you use a private link)

from redisc.