我使用启用了 TLS 的 Redis,通过
tls-cert-filetls-key-filetls-ca-cert-file我正在寻求有关如何轮换 Redis TLS 证书而不导致任何停机的建议。确保证书轮换过程顺利同时保持服务持续可用性的最佳实践或策略是什么?
类似于GCP的内存存储,也许有办法同时拥有多个服务器证书。如果是这样,可以首先更新客户端的连接,然后停用旧的 TLS 配置。
从 redis-cli,redis 服务器(不是哨兵)可以使用
CONFIG SET xxx
CONFIG SET tls-cert-key yyy
执行命令后,服务器现在将使用新提供的证书。
配置文档: https://redis.io/docs/management/config-file/
# Configure a X.509 certificate and private key to use for authenticating the
# server to connected clients, masters or cluster peers. These files should be
# PEM formatted.
#
# tls-cert-file redis.crt
# tls-key-file redis.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-key-file-pass secret
# Normally Redis uses the same certificate for both server functions (accepting
# connections) and client functions (replicating from a master, establishing
# cluster bus connections, etc.).
#
# Sometimes certificates are issued with attributes that designate them as
# client-only or server-only certificates. In that case it may be desired to use
# different certificates for incoming (server) and outgoing (client)
# connections. To do that, use the following directives:
#
# tls-client-cert-file client.crt
# tls-client-key-file client.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-client-key-file-pass secret
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
# required by older versions of OpenSSL (<3.0). Newer versions do not require
# this configuration and recommend against it.
#
# tls-dh-params-file redis.dh
# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
# clients and peers. Redis requires an explicit configuration of at least one
# of these, and will not implicitly use the system wide configuration.
#
# tls-ca-cert-file ca.crt
# tls-ca-cert-dir /etc/ssl/certs