Troubleshooting Redis/Valkey Connectivity Mismatch (TLS/SSL) in Tanzu Platform
search cancel

Troubleshooting Redis/Valkey Connectivity Mismatch (TLS/SSL) in Tanzu Platform

book

Article ID: 435237

calendar_today

Updated On:

Products

VMware Tanzu Platform - Cloud Foundry VMware Tanzu Platform Spring VMware Tanzu Platform Spring Essentials VMware Tanzu Spring Essentials VMware Tanzu Spring Runtime VMware Tanzu Spring Runtime - SM Developer Support only for Spring Enterprise Developer Support for Spring

Issue/Introduction

Applications deployed to Tanzu Platform (Cloud Foundry/TAS/EAR) may fail to connect to a Redis/Valkey Tile service instance even when the service is bound and the application is in a running state.

Common symptoms include:

  • Application logs show Connection reset by peer, UnsatisfiedDependencyException, or RedisConnectionException.

  • The application may crash during startup or return 500 Internal Server Error when performing cache operations.

  • Standard network tests like nc -zv <host> <port> succeed, but data transfer fails.


Most importantly Check the Redis Service Instance Logs by sshing through bosh cli. If you see the following error, a TLS mismatch is confirmed:

Error accepting a client connection: error:0A00010B:SSL routines::wrong version number

Environment

Valkey Tile

Cause

If TLS is set to Optional or Enforced under the Configure On-Demand Service Settings section then the corresponding  apps should be configured to use TLS settings.

This article covers the settings to be updated for Spring and Steeltoe apps, Further configuration might be needed for other frameworks and languages to ensure use of the TLS port.

Resolution

1) Check the credentials under the VCAP_SERVICES section for the valkey service instance and verify which port is being used, it should be 16379

2) Update your manifest.yml to include the .enabled suffix and ensure the Java Buildpack trusts the platform certificates. You will have to add the below env variables 

    SPRING_DATA_REDIS_SSL_ENABLED: "true"
    SPRING_REDIS_PORT: 16379
    TRUST_CERTS: "true"

Sample manifest section:

applications:
- name: your-app
  env:
    # Explicitly enable SSL using the SB 3.x property path
    SPRING_DATA_REDIS_SSL_ENABLED: "true"
    # Ensure the Java Buildpack imports the Cloud Foundry Root CA
    TRUST_CERTS: "true"
    SPRING_REDIS_PORT: 16379
  services:
    - your-redis-service

3) Repush the application and once its started, to verify that the Redis service is healthy and accepting the password over TLS, run a manual test from the app container:

(echo -e "AUTH <your_password>\r\nPING\r\nQUIT";) | openssl s_client -connect <redis_host>:16379 -quiet

 

Additional Information

Reference Docs:

https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-valkey-tanzu-platform/4-0/valkey-tp/installing.html

https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-valkey-tanzu-platform/4-0/valkey-tp/preparing-tls.html

https://docs.spring.io/spring-cloud-dataflow-admin-cloudfoundry/docs/1.1.x/reference/html/_configuration_reference.html#_self_signed_ssl_certificate_and_spring_cloud_config_server

 

Powered by Wolken Software