redis certs no longer compatible with latest redis 6.2 image

[chazdnato]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

2.8.1

Current Behavior

We run kong-pongo pegged to 1.3.0, and with redis-6.2:alpine now using alpine 3.7, it also uses OpenSSL 3.0 instead of OpenSSL 1.1. As such, redis will not start with the existing certs:

1:C 02 Dec 2022 21:01:16.896 # Redis version=6.2.7, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 02 Dec 2022 21:01:16.897 # Configuration loaded
1:M 02 Dec 2022 21:01:16.905 # Failed to load certificate: /usr/local/etc/redis/server.crt: error:0A00018E:SSL routines::ca md too weak
1:M 02 Dec 2022 21:01:16.905 # Failed to configure TLS. Check logs for more info.

I opened this issue against Redis, who pointed me to the need to generate new certs. We are blocked from running any deployments of our Kong setup until this is resolved.

---

Note, these certs are created in Kong, hence opening the issue here:

#8662

Expected Behavior

SSL certs should not fail when using newer libraries.

As these certs are shared between kong-pongo, kong, and gojira, any of these environments could see this issue under the correct circumstances.

Steps To Reproduce

1. Run kong-pongo 1.3.0
2. run tests with redis running
3. redis will fail to run

Anything else?

An issue was opened via kong-pongo, with no responses: Kong/kong-pongo#361

We do have a valid work around, by launching pongo with a slightly older version of redis:

REDIS_IMAGE=redis:6.2-alpine3.16 pongo run ... <etc>

There may be similar workarounds for kong and gojira, but I have not investigated this.