Search code examples

Unable to connect to Redis in GCP which is SSL Enabled

I am using Spring-boot-starter-redis dependency to connect to redis (below is my snippet from gradle dependency

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    implementation 'org.springframework.boot:spring-boot-starter-data-redis'
    compileOnly 'org.projectlombok:lombok:1.18.20'
    annotationProcessor 'org.projectlombok:lombok:1.18.20'

I am moving to GCP now and the redis in GCP is SSL Enabled and so, i configured my spring properties this way


It works perfectly fine when i disable the ssl. But when i enable it, i get below error.. is there any way to inject the PEM ceritificate in Spring configuration ?

[Request processing failed; nested exception is Unable to connect to Redis; nested exception is io.lettuce.core.RedisConnectionException: Unable to connect to xx.xx.xx.xx:6378] with root cause unable to find valid certification path to requested target
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/$T13CertificateConsumer.checkServerCerts( ~[na:na]
        at java.base/$T13CertificateConsumer.onConsumeCertificate( ~[na:na]
        at java.base/$T13CertificateConsumer.consume( ~[na:na]
        at java.base/ ~[na:na]
        at java.base/ ~[na:na]
        at java.base/$DelegatedTask$ ~[na:na]
        at java.base/$DelegatedTask$ ~[na:na]
        at java.base/ Method) ~[na:na]
        at java.base/$ ~[na:na]

please help


  • I tackled it this way

    • spring-boot-starter-data-redis dependency uses Lettuce by default
    • To connect to Redis through ssl spring.redis.ssl=true property need to be enabled.
    • If the CA of the ceritificate is unique and not part of Java's JKS, then you have two options, either import the keys to JKS or disable the SSL-Verification

    Quoting whats given in Google Docs here

    For example, Lettuce is a popular Java client for Redis. Their documentation provides an example for connecting natively with TLS (see Example 47). Given that the Java Security Manager does not allow self-signed certificates by default, an additional option needs to be specified in the Redis URI construction .withVerifyPeer(false)

    I disabled the SSL Verification . The connection will still happen through SSL, but the verification alone i disabled it by configuring a bean.

    Also am not worried about man-in-the-middle-attack as my Redis is exposed only to my GKE Cluster.. So this solution worked fine for me

    public class RedisSSLConfiguration {
        public LettuceClientConfigurationBuilderCustomizer builderCustomizer() {
            return builder -> builder.useSsl().disablePeerVerification();