The Fix
pip install celery==4.4.0rc5
Based on closed celery/celery issue #5702 · PR/commit linked
Production note: This usually shows up under retries/timeouts. Treat it as a side-effect risk until you can verify behavior with a canary + real traffic.
@@ -272,3 +272,4 @@ Florian Chardin, 2018/10/23
Fabio Todaro, 2019/06/13
Shashank Parekh, 2019/07/11
+Arel Cordero, 2019/08/29
diff --git a/celery/backends/redis.py b/celery/backends/redis.py
index 3c04d134aa7..5f86a940b97 100644
ssl_string_to_constant = {'CERT_REQUIRED': CERT_REQUIRED,
'CERT_OPTIONAL': CERT_OPTIONAL,
'CERT_NONE': CERT_NONE,
'required': CERT_REQUIRED,
'optional': CERT_OPTIONAL,
'none': CERT_NONE}
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Option A — Upgrade to fixed release\npip install celery==4.4.0rc5\nWhen NOT to use: This fix should not be used if maintaining strict compatibility with older Celery versions is required.\n\n
Why This Fix Works in Production
- Trigger: Celery's ssl_cert_reqs names do not match Redis's
- Mechanism: Celery's ssl_cert_reqs values differ from those expected by the Redis library, causing compatibility issues
- Why the fix works: Allows Celery to recognize standard Redis ssl_cert_reqs names, resolving confusion between the two libraries. (first fixed release: 4.4.0rc5).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Celery's ssl_cert_reqs values differ from those expected by the Redis library, causing compatibility issues
- Production symptom (often without a traceback): Celery's ssl_cert_reqs names do not match Redis's
Proof / Evidence
- GitHub issue: #5702
- Fix PR: https://github.com/celery/celery/pull/5703
- First fixed release: 4.4.0rc5
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.63
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Hello! Now redis-py library have ssl_cert_reqs="required" by default that makes ssl_cert_reqs parameter optional”
Failure Signature (Search String)
- Celery's ssl_cert_reqs names do not match Redis's
- - [x] I have included all related issues and possible duplicate issues in this issue
Copy-friendly signature
Failure Signature
-----------------
Celery's ssl_cert_reqs names do not match Redis's
- [x] I have included all related issues and possible duplicate issues in this issue
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Celery's ssl_cert_reqs names do not match Redis's
- [x] I have included all related issues and possible duplicate issues in this issue
Minimal Reproduction
ssl_string_to_constant = {'CERT_REQUIRED': CERT_REQUIRED,
'CERT_OPTIONAL': CERT_OPTIONAL,
'CERT_NONE': CERT_NONE,
'required': CERT_REQUIRED,
'optional': CERT_OPTIONAL,
'none': CERT_NONE}
What Broke
Users experience connection errors when using Redis URLs with mismatched ssl_cert_reqs values.
Why It Broke
Celery's ssl_cert_reqs values differ from those expected by the Redis library, causing compatibility issues
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install celery==4.4.0rc5
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Option D — Guard side-effects with OnceOnly Guardrail for side-effects
Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.
- Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
- Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
- Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
from onceonly import OnceOnly
import os
once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)
# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..." # replace
key = f"stripe:webhook:{event_id}"
res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
return {"status": "already_processed"}
# Safe to execute the side-effect exactly once.
handle_event(event_id)
Fix reference: https://github.com/celery/celery/pull/5703
First fixed release: 4.4.0rc5
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if maintaining strict compatibility with older Celery versions is required.
- Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Verify Fix
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 4.4.0rc5 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.