Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sentinel TLS: discover_master is not respect connection type. #3128

Open
garry-t opened this issue Jan 30, 2024 · 4 comments
Open

Sentinel TLS: discover_master is not respect connection type. #3128

garry-t opened this issue Jan 30, 2024 · 4 comments

Comments

@garry-t
Copy link

garry-t commented Jan 30, 2024

In case Sentinel configured with TLS , redis_master call fails with error: "Connection reset by peer", means it is not use TLS during function call.
I've checked all docs which I able to found and for me still not clear is it supported or no?
Version: 5.1.0b3

Platform: Python 3.11 MacOS

Description:
SSL were generated self signed.
My simple code:

 sentinel = Sentinel(
            sentinels=sentinel_addresses,
            sentinel_kwargs={'password': secret_file_data['password']},
            socket_timeout=0.1,
            ssl=True,
            ssl_keyfile=ssl_keyfile,
            ssl_certfile=ssl_certfile,
            ssl_ca_certs=ssl_ca_certs
        )
 host, port = sentinel.discover_master(master_name)
 master = sentinel.master_for(master_name, password=secret_file_data['password'])
 print(f"Current {'SSL' if use_ssl else 'Non-SSL'} Connection - Master IP: {host}")

In sentinel logs

Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (addr=IP:56828 laddr=IP:26380)

@erihu78
Copy link

erihu78 commented Sep 4, 2024

I have exactly the same issue!
Any news on this??

@garionphx
Copy link

I ran into a similar problem, only with authentication. I created a merge request that fixes my issue, and maybe yours also: #3376

@rad-pat
Copy link

rad-pat commented Oct 15, 2024

Don't you fix this by passing the necessary ssl kwargs into the sentinel_kwargs?

@tgckpg
Copy link

tgckpg commented Dec 10, 2024

Good lord this bug is hard to track down. Thankfully ChatGPT has guided me here so I'm posting my workaround for anyone who also have this issue.

First you need this class

from redis.connection import SSLConnection
from redis.sentinel import SentinelManagedConnection

class SentinelManagedSSLConnection( SentinelManagedConnection, SSLConnection ):

    def __init__( self, *args, **kwargs ):
        kwargs.pop( "ssl", None )
        super().__init__( *args, **kwargs )

Then you can use it like so

s = {
    "ssl": True
    , "ssl_keyfile": os.path.join( Env.REDIS_CERTS, "key" )
    , "ssl_certfile": os.path.join( Env.REDIS_CERTS, "cert" )
    , "ssl_ca_certs": os.path.join( Env.REDIS_CERTS, "ca" )
}

sentinelObj.master_for( "mymaster", connection_class=SentinelManagedSSLConnection, **s)

Basically SentinelManagedConnection was not an SSLConnection so we make it an SSLConnection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants