Ai2 app ssl connection in redis labs?

I can’t use my ssl on redis labs server …
… in my application, what is builted here in appinventor and there is module named “CloudDB1” and there is only these parameters: ProjecID, whose i named redis database, RedisServer, where i placed server addresses, RedisPort, where i placed port-number, Token for server password, and also checkbox “UseSSL” what I ticked.
I switched SSL on and there was generated certificate fingerprint, what i must to do with this or how i can use my app?

If you are using the “free” RedisLabs server, then SSL will not work, you have to pay to get SSL.
In AI2 just untick the SSL box and it will work (but without SSL).

Oh, I can see you are paying for SSL ?

If so, the AI2 CloudDB should “just work”, if you have all the connection data entered correctly:

Redis Port - whatever is after the colon for the endpoint
RedisServer - use your server’s domain name url - everything before the colon for the endpoint
Token - use your Redis Password
UseSSL - check the box !

I did exactly that, but I received this error message

image

We might need to check with Jeff at MIT…I will assign.

https://docs.redislabs.com/latest/rc/administration/security/securing-redis-cloud-connections/

I did this:

Generate a Certificate:

  1. Use the Generate Client Certificate button to generate a client certificate.
  2. The generated certificate’s public key is shown in the textbox.
  3. This also triggers an automatic download of a zip archive with the following contents:
    a. redislabs_user.crt - the certificate’s public key.
    b. redislabs_user_private.key - the certificate’s private key.
    c. redislabs_ca.pem - the service’s certification authority.
  4. Click the Update button to apply the changes to your resource.
    Important: Once SSL is enabled, your database no longer accepts regular, non-SSL connections.

but it still not working…

How do i get authentication certificate into my app or it’s not necessary?

Should not be necessary. Wait for Jeff…

The way SSL works is that the server presents a certificate which contains a public key which is used to set up the SSL session and prove that the server is who it claims to be.

The server’s certificate is itself signed by another certificate which is in turn signed by another certificate until you get to the “root” certificate, known as the “Trust Anchor.” Each device comes configured with a default set of Trust Anchors (there are a lot of them!). The error message you are seeing means that your device didn’t have the Trust Anchor that RedisLabs certificate chained up to.

There isn’t much we can do about it. If you send me your end-point (so I can use some debugging tools to learn what Trust Anchor it is using) I can see if it is some uncommon Trust Anchor, or if some other problem is going on (you can send private e-mail to me at jis@mit.edu).

Recently (May 20th) a major Trust Anchor expired. Organizations that had certificates that chained to this Trust Anchor needed to make a configuration change so their certificates would chain to a valid Anchor. It may be the case that RedisLabs needs to do this, but until I can test, I cannot say for sure.

-Jeff

OK. So, here is your problem. RedisLabs uses their own certificate hierarchy with their own root Trust Anchor. However, this Trust Anchor is not installed in any system. On Mac/Windows and Linux you can configure your own Trust Anchor, and therefore can install their Trust Anchor.

However, you cannot do this with Android and iOS (it is actually a significant security exposure to do so).

You should complain to RedisLabs that they should use a public Trust Anchor. There really is no excuse to not do so, particularly since they are taking your money.

-Jeff

Thanks for helping out Jeff.

Crazy positioning by Redis!

So, I wrote to redis labs support and their answer is here:

"Our certificate works in a way that it is tuned to the DB and its cluster, There is little flexibility there. We cannot change our SSL process as it fits all DBs in this cluster. We do provide more flexibility to our Redis software but it’s not a managed option.

Saying that I do recommend to avoid connecting to Redis from mobile OS, this is not scalable and will not work well. Redis DB is meant for low latency access and access from Redis doesn’t work well for a DB like Redis.

Please let me know if you would like me to remove SSL from your subscription to avoid unneeded extra charges."

Can you suggest another host where SSL with CloudDB (with app what made in app inventor) works well? Or what i need to do?

I do not know, I guess, as with Redis, you will just have to try them (Google/Amazon/Azure/Other).

What I do know works, and as suggested before, is setting up your own redis server on your own server:

HOWTO: Setup Redis Server with SSL for use with AI2

When I am looking for a host who can provide the ssl applicable for my case (taking into account the whole topic), how should I ask from the host's support? Because I didn't really understand why I couldn't use it in Redislabs ...
What and how should i ask?

The situation seems sad if it is not possible to make your own server, because with the apps made here, ssl does not work with any host. Everywhere I've researched, I get similar answers: "So I've tested Appinventor and I don't see either how to do it. I don't think they are compatible, sorry."
Does this mean that apps with cloud database that is made here cannot be safely used anywhere else?

It should be possible to run your own server. You just need a Linux VPS (virtual server) with redis software installed. You can use the stunnel program to get SSL working. You will need a certificate, which can be obtained for free from Letsencrypt.

I told that i can not make or run my own server.

Does that mean i can't get a secure connection anywhere other than here?

What is stopping you. I got a VPS server for £1.20 per month from IONOS....cheaper than @ $7 per months for redislabs base account...