1

I have an java app running in an EC2 instance which use lettuce (https://lettuce.io/) to talk to a redis cluster on AWS ElasticCache.

The java app can connect with no issue. Here is the netstat output:

tcp6       0      0 10.0.56.94:45846        10.0.34.61:6379         ESTABLISHED
tcp6       0      0 10.0.56.94:33198        10.0.33.125:6379        ESTABLISHED
tcp6       0      0 10.0.56.94:57526        10.0.32.189:6379        ESTABLISHED

I have logged on to the same ec2 instance and tried to use redis-cli to conneect the the same cluster. However I have no success with the redis-cli.

The redis uri the java application is something like this:

rediss://my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com:6379,my-project-0002-001.my-project.abczy.use1.cache.amazonaws.com:6379,my-project-0003-001.my-project.abczy.use1.cache.amazonaws.com:6379

However if I apply this uri to redis-cli, it throws an error: "invalid uri scheme".

The error is suppressed if I replace rediss with redis in the uri. But I still cannot connect to the cluster.

There are alternatives I have tried (and they simply do 'not doing anything': no error message at all. Simply not showing anything.)

Connect to the node directly

redis-cli -c -h my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com -p 6379 -a auth_token

Connect to the configration end point

redis-cli -c -h  clustercfg.my-project.abczy.use1.cache.amazonaws.com -p 6379 -a auth_token

Use IP directly

# Use netstat to find out the IPs
redis-cli -c -h 10.0.34.61 -p 6379 -a auth_token

Use IP directly without -c flag

redis-cli -h 10.0.34.61 -p 6379 -a auth_token

How can I find out why redis-cli is not connecting? Is there anyway I can trace the routes?

Anthony Kong
  • 3,288
  • 11
  • 57
  • 96

1 Answers1

2

According to the docs, redis-cli doesn't support SSL or TLS:

To access data from ElastiCache for Redis nodes enabled with in-transit encryption, you use clients that work with Secure Socket Layer (SSL). However, redis-cli doesn't support SSL or Transport Layer Security (TLS).

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls

You can use stunnel as a work-around:

setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7 
delay = yes
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
   client = yes
   accept = 127.0.0.1:6379
   connect = my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com:6379
[redis-cli-replica1]
   client = yes
   accept = 127.0.0.1:6380
   connect = my-project-0002-001.my-project.abczy.use1.cache.amazonaws.com:6379
[redis-cli-replica2]
   client = yes
   accept = 127.0.0.1:6381
   connect = my-project-0003-001.my-project.abczy.use1.cache.amazonaws.com:6379

start stunnel

sudo stunnel /etc/stunnel/redis-cli.conf

connect using redis-cli: 

 redis-cli -c -h localhost-p 6379 -a auth_token
Tom
  • 11,176
  • 5
  • 41
  • 63