I am trying to get Redis 6 (with TLS enabled during compilation, tests after compilation were successful) to work. I am using Lets Encrypt certificate and following configuration:

tls-port 63790
tls-cert-file /etc/letsencrypt/live/myserver.net/cert.pem
tls-key-file /etc/letsencrypt/live/myserver.net/privkey.pem
tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/
tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"

and this client command from localhost

redis-cli --tls --cert /etc/letsencrypt/live/myserver.net/cert.pem --key /etc/letsencrypt/live/myserver.net/privkey.pem --cacert /etc/letsencrypt/live/myserver.net/fullchain.pem -h myserver.net -p 63790 -a password

Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. Could not connect to Redis at myserver.net:63790: SSL_connect failed: certificate verify failed

this is output from redis log: Error accepting a client connection: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

While I am using openssl client with same certificates, i am able to connect and get ping reply from Redis server

No matter if I change

tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/

to

tls-ca-cert 

on server side or --cacert /etc/letsencrypt/live/myserver.net/fullchain.pem to chain.pem on client side I tried to all versions of

tls-protocols ""

and change

tls-auth-clients no

to

tls-auth-clients optional

but I am still stuck with same error

OpenSSL version is 1.1.1 Redis version is 6.0.8 OS: Ubuntu 20.04

Can you help me to find out reason why is TLS not working, please?

Thank you

Wil

Ahh, SOLVED! I was putting wrong CA chain. I had to chain root and intermediate certs downloaded from LE website into new file. It may come handy for someone with same problem.