Why my java application can reach the AWS elasticcache Redis cluster with the lettuce library but not directly with redis-cli?

Question

I have an java app running in an EC2 instance which use lettuce (https://lettuce.io/) to talk to a redis cluster on AWS ElasticCache.

The java app can connect with no issue. Here is the netstat output:

tcp6 0 0 10.0.56.94:45846 10.0.34.61:6379 ESTABLISHED tcp6 0 0 10.0.56.94:33198 10.0.33.125:6379 ESTABLISHED tcp6 0 0 10.0.56.94:57526 10.0.32.189:6379 ESTABLISHED 

I have logged on to the same ec2 instance and tried to use redis-cli to conneect the the same cluster. However I have no success with the redis-cli.

The redis uri the java application is something like this:

rediss://my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com:6379,my-project-0002-001.my-project.abczy.use1.cache.amazonaws.com:6379,my-project-0003-001.my-project.abczy.use1.cache.amazonaws.com:6379 

However if I apply this uri to redis-cli, it throws an error: "invalid uri scheme".

The error is suppressed if I replace rediss with redis in the uri. But I still cannot connect to the cluster.

There are alternatives I have tried (and they simply do 'not doing anything': no error message at all. Simply not showing anything.)

Connect to the node directly

redis-cli -c -h my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com -p 6379 -a auth_token 

Connect to the configration end point

redis-cli -c -h clustercfg.my-project.abczy.use1.cache.amazonaws.com -p 6379 -a auth_token 

Use IP directly

# Use netstat to find out the IPs redis-cli -c -h 10.0.34.61 -p 6379 -a auth_token 

Use IP directly without -c flag

redis-cli -h 10.0.34.61 -p 6379 -a auth_token 

How can I find out why redis-cli is not connecting? Is there anyway I can trace the routes?

Answer 1

According to the docs, redis-cli doesn't support SSL or TLS:

To access data from ElastiCache for Redis nodes enabled with in-transit encryption, you use clients that work with Secure Socket Layer (SSL). However, redis-cli doesn't support SSL or Transport Layer Security (TLS).

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls

You can use stunnel as a work-around:

setuid = root setgid = root pid = /var/run/stunnel.pid debug = 7 delay = yes options = NO_SSLv2 options = NO_SSLv3 [redis-cli] client = yes accept = 127.0.0.1:6379 connect = my-project-0001-001.my-project.abczy.use1.cache.amazonaws.com:6379 [redis-cli-replica1] client = yes accept = 127.0.0.1:6380 connect = my-project-0002-001.my-project.abczy.use1.cache.amazonaws.com:6379 [redis-cli-replica2] client = yes accept = 127.0.0.1:6381 connect = my-project-0003-001.my-project.abczy.use1.cache.amazonaws.com:6379 

start stunnel

sudo stunnel /etc/stunnel/redis-cli.conf 

connect using redis-cli:

 redis-cli -c -h localhost-p 6379 -a auth_token