FG
💻 Software🗄️ Databases

AWS Elasticache + TLS + Hostname Verification

Freshabout 7 years ago
Mar 14, 20260 views
Confidence Score88%
88%

Problem

Tested Using Node.js v10.13.0 ioredis v4.2.3 AWS Clustered Redis Elasticache (3 nodes, in-transit and at-rest encryption enabled) Problem When connecting to a Redis cluster, a list of nodes (`host` and `port` combinations) are given. In the cluster connection logic, the list of node hostnames are then resolved to IP addresses. For the nodes that have successfully had hostnames resolved to IP addresses, the logic then overwrites the given `host` for that node with the resolved IP address. Normally this would not be an issue, but when connecting to a Redis cluster via TLS (such as AWS encrypted Elasticache) this can cause issues with Node.js' built-in TLS hostname verification. Basically, if the IP address of the node does not appear in the certificate received from the server, then the hostname verification step will fail causing the connection to fail. Example Running the following code: [code block] ran with `DEBUG=ioredis: node index.js` produces the following logs: [code block] where `clustercfg.xxx.use1.cache.amazonaws.com` is the cluster hostname and `aaa.bbb.ccc.ddd` is the IP address the hostname resolves to. Note the following debug log message: [code block] Workaround My current workaround is to bypass the TLS hostname verification step with a custom `checkServerIdentity` function: [code block] Additional Notes I also experimented with changing part of the cluster connection logic (`resolveStartupNodeHostnames`) so that it does not overwrite the

Error Output

error: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: aaa.bbb.ccc.ddd is not in the cert's list:  +0ms

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Moderate Confidence Fix
84% confidence100% success rate2 verificationsLast verified Mar 14, 2026

Solution: AWS Elasticache + TLS + Hostname Verification

Low Risk

Redis always returns IPs instead of hostnames as node info for commands like `CLUSTER SLOTS` (in other words, Redis cluster doesn't support hostnames at all). If ioredis doesn't resolve hostnames to IPs, when people provide hostnames as startup nodes info, we can't tell whether the node address returned (which are IPs) from Redis is the same ones we've got (which are hostnames). However, encrypte

84

Trust Score

2 verifications

100% success
  1. 1

    Redis always returns IPs instead of hostnames as node info for commands like `CL

    Redis always returns IPs instead of hostnames as node info for commands like `CLUSTER SLOTS` (in other words, Redis cluster doesn't support hostnames at all). If ioredis doesn't resolve hostnames to IPs, when people provide hostnames as startup nodes info, we can't tell whether the node address returned (which are IPs) from Redis is the same ones we've got (which are hostnames).

  2. 2

    However, encrypted Elasticache does some changes on the official Redis that will

    However, encrypted Elasticache does some changes on the official Redis that will return hostnames. To solve the problem, we can simply disable the dns lookup (by returning hostnames directly):

Validation

Resolved in redis/ioredis GitHub issue #754. Community reactions: 1 upvotes.

Verification Summary

Worked: 2
Last verified Mar 14, 2026

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

redisiorediscache