8000 fix(registry/handlers/app): redis CAs by ChandonPierre · Pull Request #4668 · distribution/distribution · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(registry/handlers/app): redis CAs #4668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(registry/handlers/app): redis CAs #4668

wants to merge 2 commits into from

Conversation

ChandonPierre
Copy link

configureRedis currently sets RequireAndVerifyClientCert and ClientCAs, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.

Since we never actually set client side RootCAs, connecting to Redis with a self-signed CA results in:

"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",

Fixed by switching Redis TLS config to use RootCAs instead, and updating configuration accordingly.

@github-actions github-actions bot added area/config Related to registry config area/docs area/api labels Jul 5, 2025
@ChandonPierre ChandonPierre force-pushed the cpierre/redis-rootcas branch 2 times, most recently from 77731c4 to ec2e369 Compare July 5, 2025 19:24
@ChandonPierre
fix(registry/handlers/app): redis CAs
02b1f6e 
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.

Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:

```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.

Signed-off-by: ChandonPierre <cpierre@coreweave.com>
@ChandonPierre ChandonPierre force-pushed the cpierre/redis-rootcas branch from ec2e369 to 02b1f6e Compare July 5, 2025 19:25
milosgajdos
milosgajdos approved these changes Jul 5, 2025
View reviewed changes
Copy link
Member
@milosgajdos milosgajdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL @thaJeztah

@ChandonPierre
fix tests
1fc8461 
Signed-off-by: ChandonPierre <cpierre@coreweave.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@milosgajdos milosgajdos milosgajdos approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
area/api area/config Related to registry config area/docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ChandonPierre @milosgajdos
0