Getting ERR_TLS_CERT_ALTNAME_INVALID when connect to Azure Redis Enterprise Cluster

[felipecrescencio]

Description

Hi,

I deployed an Azure Redis Enterprise cluster as following:

• Azure type: Microsoft.Cache/redisEnterprise
• sku
  • name: Enterprise_E10
  • capacity: 2
• Clustering Policy: OSSCluster
• Maxmemory policy: VolatileLRU

I am getting the following issue when trying to connect to my cluster private endpoint (full is in the log specific field):

Redis Cluster error Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: [my private endpoint IP] is not in the cert's list: 
    at Object.checkServerIdentity (node:tls:337:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1695:27)
    at TLSSocket.emit (node:events:519:28)
    at TLSSocket._finishInit (node:_tls_wrap:1085:8)
    at ssl.onhandshakedone (node:_tls_wrap:871:12) {
...

I am using:

• node v20.17.0
• node-redis version 4.7.0

Here is nodejs code.

If I ignore tls certificate validation using rejectUnauthorized: false, my code works.

Could you help me fixing this issue?

Node.js Version

v20.17.0

Redis Server Version

7.2.4

Node Redis Version

4.7.0

Platform

Linux 5.15.173.1-1.cm2 x86_64 arch_bits:64

Logs

Redis Cluster error Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: [my private endpoint IP] is not in the cert's list: 
    at Object.checkServerIdentity (node:tls:337:12)
    at TLSSocket.onConnectSecure (node:_tls_wrap:1695:27)
    at TLSSocket.emit (node:events:519:28)
    at TLSSocket._finishInit (node:_tls_wrap:1085:8)
    at ssl.onhandshakedone (node:_tls_wrap:871:12) {
  code: 'ERR_TLS_CERT_ALTNAME_INVALID',
  reason: "IP: [my private endpoint IP] is not in the cert's list: ",
  host: '[my private endpoint IP]',
  cert: {
    subject: [Object: null prototype] {
      C: 'US',
      ST: 'WA',
      L: 'Redmond',
      O: 'Microsoft Corporation',
      CN: '*.westus3.redisenterprise.cache.azure.net'
    },
    issuer: [Object: null prototype] {
      C: 'US',
      O: 'Microsoft Corporation',
      CN: 'Microsoft Azure RSA TLS Issuing CA 03'
    },
    subjectaltname: 'DNS:my-redis.westus3.redisenterprise.cache.azure.net, DNS:*.westus3.redisenterprise.cache.azure.net',
    infoAccess: [Object: null prototype] {
      'CA Issuers - URI': [Array],
      'OCSP - URI': [Array]
    },
    ca: false,
    modulus: '[REDACTED_MODULUS]',
    bits: 2048,
    exponent: '0x10001',
    pubkey: <Buffer [REDACTED_BUFFER]>,
    valid_from: '[REDACTED_DATE]',
    valid_to: '[REDACTED_DATE]',
    fingerprint: '[REDACTED_FINGERPRINT]',
    fingerprint256: '[REDACTED_FINGERPRINT256]',
    fingerprint512: '[REDACTED_FINGERPRINT512]',
    ext_key_usage: [ '1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.1' ],
    serialNumber: '[REDACTED_SERIAL]',
    raw: <Buffer [REDACTED_BUFFER]>,
    issuerCertificate: {
      subject: [Object: null prototype],
      issuer: [Object: null prototype],
      infoAccess: [Object: null prototype],
      ca: true,
      modulus: '[REDACTED_ISSUER_MODULUS]',
      bits: 4096,
      exponent: '0x10001',
      pubkey: <Buffer [REDACTED_BUFFER]>,
      valid_from: '[REDACTED_DATE]',
      valid_to: '[REDACTED_DATE]',
      fingerprint: '[REDACTED_FINGERPRINT]',
      fingerprint256: '[REDACTED_FINGERPRINT256]',
      fingerprint512: '[REDACTED_FINGERPRINT512]',
      ext_key_usage: [Array],
      serialNumber: '[REDACTED_ISSUER_SERIAL]',
      raw: <Buffer [REDACTED_BUFFER]>,
      issuerCertificate: [Object]
    }
  }
}