fix(registry/handlers/app): redis CAs#4668
Merged
milosgajdos merged 2 commits intodistribution:mainfrom Sep 3, 2025
Merged
Conversation
github-actions
bot
added
area/config
ChandonPierre
force-pushed
the
cpierre/redis-rootcas
branch
2 times, most recently
from
77731c4 to
ec2e369
Compare
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake. Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in: ``` "error": "tls: failed to verify certificate: x509: certificate signed by unknown authority", ``` Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly. Signed-off-by: ChandonPierre <cpierre@coreweave.com>
ChandonPierre
force-pushed
the
cpierre/redis-rootcas
branch
from
ec2e369 to
02b1f6e
Compare
milosgajdos
approved these changes
Jul 6, 2025
Contributor
Author
|
Let me know if any changes are needed 👍 |
Member
|
@thaJeztah PTAL |
milosgajdos
reviewed
Aug 11, 2025
| ClientCAs []string `yaml:"clientcas,omitempty"` | ||
| // RootCAs specifies a list of root certificate authorities that clients use when | ||
| // verifying server certificates. If RootCAs is nil, TLS uses the host's root CA set. | ||
| RootCAs []string `yaml:"rootcas,omitempty"` |
Member
There was a problem hiding this comment.
one thing Im wondering here...this will break existing deployments...so we either release this as 3.1 or we'll have to change this field to the original ClientCAs
Collaborator
There was a problem hiding this comment.
Yes, it’s a breaking change, but it shouldn’t impact users since the functionality doesn’t work with ClientCAs anyway. We can treat it as a fix to correct the behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
configureRediscurrently setsRequireAndVerifyClientCertandClientCAs, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.Since we never actually set client side
RootCAs, connecting to Redis with a self-signed CA results in:Fixed by switching Redis TLS config to use
RootCAsinstead, and updating configuration accordingly.