fix(redis): apply TLS SNI override to pub/sub clients too

TheodoreSpeaks · TheodoreSpeaks · commit b58fa66e0ea3 · 2026-05-16T20:22:30.000-07:00
Pub/sub clients in lib/events/pubsub.ts build their own ioredis instances
directly via new Redis(redisUrl, ...) because pub/sub needs dedicated
connections (can't multiplex on the shared client from getRedisClient).
That path skipped the resolveTlsOptions helper added for trigger.dev's
PrivateLink VPCE IP, so every pub/sub channel hit
'Hostname/IP does not match certificate's altnames' on connect.

Export the helper as resolveRedisTlsOptions and use it from pubsub.ts.
diff --git a/apps/sim/lib/core/config/redis.ts b/apps/sim/lib/core/config/redis.ts
@@ -16,7 +16,9 @@ const redisUrl = env.REDIS_URL
  *
  * For DNS hosts: no override needed, default verification works.
  */
-function resolveTlsOptions(url: string | undefined): { servername: string } | undefined {
+export function resolveRedisTlsOptions(
+  url: string | undefined
+): { servername: string } | undefined {
   if (!url) return undefined
   let parsed: URL
   try {
@@ -117,7 +119,7 @@ export function getRedisClient(): Redis | null {
   if (globalRedisClient) return globalRedisClient
 
   // Outside the try/catch so config errors aren't silently swallowed.
-  const tls = resolveTlsOptions(redisUrl)
+  const tls = resolveRedisTlsOptions(redisUrl)
 
   try {
     logger.info('Initializing Redis client')
diff --git a/apps/sim/lib/events/pubsub.ts b/apps/sim/lib/events/pubsub.ts
@@ -9,6 +9,7 @@ import { EventEmitter } from 'events'
 import { createLogger } from '@sim/logger'
 import Redis, { type RedisOptions } from 'ioredis'
 import { env } from '@/lib/core/config/env'
+import { resolveRedisTlsOptions } from '@/lib/core/config/redis'
 
 const logger = createLogger('PubSub')
 
@@ -33,6 +34,8 @@ class RedisPubSubChannel<T> implements PubSubChannel<T> {
     redisUrl: string,
     private config: PubSubChannelConfig
   ) {
+    const tls = resolveRedisTlsOptions(redisUrl)
+
     const commonOpts = {
       keepAlive: 1000,
       connectTimeout: 10000,
@@ -42,6 +45,7 @@ class RedisPubSubChannel<T> implements PubSubChannel<T> {
         if (times > 10) return 30000
         return Math.min(times * 500, 5000)
       },
+      ...(tls ? { tls } : {}),
     } satisfies RedisOptions
 
     this.pub = new Redis(redisUrl, { ...commonOpts, connectionName: `${config.label}-pub` })
