Incorrect SSL certificate for redis cache with private endpoint configuration

Question

Incorrect SSL certificate for redis cache with private endpoint configuration

David Noriega 41

The ssl certificate used by the redis service does not include *.privatelink.redis.cache.windows.net as a subject alternative name. Instead it has .redis.cache.windows.net configured twice.

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-01-20T21:47:28.39+00:00

Hi @David Noriega Thank you for posting your question on Microsoft Q&A.

This could be a bug in the Azure Redis Cache SSL certificate. We are investigating with the product team.

Regards,
Oury
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-01-26T07:44:28.21+00:00

Hi @David Noriega We are still working with our product group to find the root cause of the issue. We will post the question shortly.

Regards,
Oury
Martin Polak 6 Reputation points

2022-01-31T14:16:13.503+00:00

Any update on this? We ran into the same issue.

Accepted answer

1 additional answer

Your answer

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-01-20T21:47:28.39+00:00

Hi @David Noriega Thank you for posting your question on Microsoft Q&A.

This could be a bug in the Azure Redis Cache SSL certificate. We are investigating with the product team.

Regards,
Oury
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-01-26T07:44:28.21+00:00

Hi @David Noriega We are still working with our product group to find the root cause of the issue. We will post the question shortly.

Regards,
Oury
Martin Polak 6 Reputation points

2022-01-31T14:16:13.503+00:00

Any update on this? We ran into the same issue.

Answer 1

ShrutiPathak-MSFT 81 Microsoft Employee

As documented here: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration, {cachename}.redis.cache.windows.net is a canonical name to {cachename}.privatelink.redis.cache.windows.net and it is recommended to use {cachename}.redis.cache.windows.net in all client applications/connection strings. We will update our documentation with this recommendation. Please note that the private DNS zone that is created in your subscription is vital for TLS communication and should not be removed.

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-02-03T20:47:41.45+00:00

@ShrutiPathak-MSFT Thank you for your contribution and for clarifying this.
@David Noriega Shruti is from Azure Redis Cache product Group.

Hope that you are satisfied with the answer she provided.

Please do not forget to mark as accepted answer if the information is helpful.

Regards,
Oury
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2022-02-07T16:12:15.867+00:00

@David Noriega Please do not forget to mark as accepted answer if the information is helpful. If you have any further question, please feel free to ask.

Regards,
Oury

Answer 2

Oury Ba-MSFT 20,911 Microsoft Employee Moderator

Hi @David Noriega Thank you for being patient while working on this issue.
Could you please try using the *.redis.cache.windows.net hostname rather than *.privatelink.redis.cache.windows.net. Let us know if that works
We will also update documentation to be more clear.

Regards,
Oury

Martin Polak 6 Reputation points

2022-02-02T08:34:22.92+00:00

It works for me that way. Is it working like that for all private endpoints for all resources? What's the point of creating Private DNS Zone in that case?
David Noriega 41 Reputation points

2022-02-02T22:07:03.527+00:00

I have had to use the *.redis.cache.windows.net name, but like Martin points out, it is confusing to have to create a whole dns zone to have a private endpoint that doesnt work with ssl

Share via

Incorrect SSL certificate for redis cache with private endpoint configuration

1 additional answer

Your answer