Jump to solution
Verify

Celery celery.security.key PrivateKey does not check returned key type (Fix)

Fixed
Spec
Package
Celery
Fixed In
5.3.0b2
Python
3.8
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.39
#7645 ai crash duplicates security serialization tls Updated: 2026-02-13
Issue #7645

The Fix

pip install celery==5.3.0b2

Based on closed celery/celery issue #7645 · PR/commit linked

Production note: This usually shows up under retries/timeouts. Treat it as a side-effect risk until you can verify behavior with a canary + real traffic.

Jump to Verify Open PR/Commit
@@ -4,7 +4,7 @@ from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.asymmetric import padding, rsa from cryptography.x509 import load_pem_x509_certificate
repro.py
app = Celery('test', include=[]) broker_use_ssl = { 'keyfile': 'broker_client.key', # private key is ECDSA signed 'certfile': 'broker_client.crt', 'ca_certs': 'root.pem', 'cert_reqs': ssl.CERT_REQUIRED } app.conf.update( broker_use_ssl=broker_use_ssl, security_key='private.key', security_certificate='public.crt', security_cert_store='security_store/*.pem ) app.setup_security() app.start()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install celery==5.3.0b2\nWhen NOT to use: This fix is not applicable if the application requires support for non-RSA private keys.\n\n

Why This Fix Works in Production

  • Trigger: [2022-07-22 14:16:20,309: CRITICAL/MainProcess] Unrecoverable error: EncodeError(SecurityError("Unable to serialize: TypeError('catching classes that do not…
  • Mechanism: The PrivateKey class does not validate the type of the loaded private key, leading to crashes with unsupported key types
  • Why the fix works: Checks the type of the private key and certificate when loading them, raising a ValueError if they are not RSA types, thus preventing crashes in Celery. (first fixed release: 5.3.0b2).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.8 in real deployments (not just unit tests).
  • The PrivateKey class does not validate the type of the loaded private key, leading to crashes with unsupported key types
  • Surfaces as: [2022-07-22 14:16:20,309: CRITICAL/MainProcess] Unrecoverable error: EncodeError(SecurityError("Unable to serialize: TypeError('catching classes that do not inherit from…

Proof / Evidence

  • GitHub issue: #7645
  • Fix PR: https://github.com/celery/celery/pull/7680
  • First fixed release: 5.3.0b2
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.39

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Hey @qrmt :wave:, Thank you for opening an issue”
@open-collective-bot · 2022-07-22 · source
“TypeError: catching classes that do not inherit from BaseException is not allowed -- based on this can you work on intended fix?”
@auvipy · 2022-07-31 · source
“you can come with a failing test and a possible fix, we can discuss there”
@auvipy · 2022-08-01 · source
“@auvipy I can work on a fix”
@qrmt · 2022-08-01 · source

Failure Signature (Search String)

  • [2022-07-22 14:16:20,309: CRITICAL/MainProcess] Unrecoverable error: EncodeError(SecurityError("Unable to serialize: TypeError('catching classes that do not inherit from

Error Message

Stack trace
error.txt
Error Message ------------- [2022-07-22 14:16:20,309: CRITICAL/MainProcess] Unrecoverable error: EncodeError(SecurityError("Unable to serialize: TypeError('catching classes that do not inherit from BaseException is not allowed')")) Traceback (most recent call last): File "/venv/lib/python3.8/site-packages/celery/security/utils.py", line 24, in reraise_errors yield File "/venv/lib/python3.8/site-packages/celery/security/key.py", line 32, in sign return self._key.sign(ensure_bytes(data), padd, digest) TypeError: sign() takes 3 positional arguments but 4 were given During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/venv/lib/python3.8/site-packages/celery/security/utils.py", line 24, in reraise_errors yield File "/venv/lib/python3.8/site-packages/celery/security/serialization.py", line 39, in serialize signature=self._key.sign(body, self._digest), File "/venv/lib/python3.8/site-packages/celery/security/key.py", line 32, in sign return self._key.sign(ensure_bytes(data), padd, digest) File "/usr/lib/python3.8/contextlib.py", line 131, in __exit__ self.gen.throw(type, value, traceback) File "/venv/lib/python3.8/site-packages/celery/security/utils.py", line 25, in reraise_errors except errors as exc: TypeError: catching classes that do not inherit from BaseException is not allowed ... Above ty ... (truncated) ...

Minimal Reproduction

repro.py
app = Celery('test', include=[]) broker_use_ssl = { 'keyfile': 'broker_client.key', # private key is ECDSA signed 'certfile': 'broker_client.crt', 'ca_certs': 'root.pem', 'cert_reqs': ssl.CERT_REQUIRED } app.conf.update( broker_use_ssl=broker_use_ssl, security_key='private.key', security_certificate='public.crt', security_cert_store='security_store/*.pem ) app.setup_security() app.start()

Environment

  • Python: 3.8

What Broke

Celery crashes without clear error messages when an unsupported private key type is used.

Why It Broke

The PrivateKey class does not validate the type of the loaded private key, leading to crashes with unsupported key types

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install celery==5.3.0b2

When NOT to use: This fix is not applicable if the application requires support for non-RSA private keys.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/celery/celery/pull/7680

First fixed release: 5.3.0b2

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix is not applicable if the application requires support for non-RSA private keys.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
5.3.0b2 Fixed

Related Issues

No related fixes found.

Cluster: celery:configuration-error Celery hub Celery best practices All hubs All clusters
Related clusters: Data consistency Duplicates Duplicate processing

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #7645. Not affiliated with the library maintainers. Verify before production use.