Sentinel with TLS not working

[AbdealiLoKo]

Checklist

• I have verified that the issue exists against the master branch of Celery.
• This has already been asked to the discussion group first.
• I have read the relevant section in the
  contribution guide
  on reporting bugs.
• I have checked the issues list
  for similar or identical bug reports.
• I have checked the pull requests list
  for existing proposed fixes.
• I have checked the commit log
  to find out if the bug was already fixed in the master branch.
• I have included all related issues and possible duplicate issues
  in this issue (If there are none, check this box anyway).

Mandatory Debugging Information

• I have included the output of celery -A proj report in the issue.
  (if you are not able to do this, then at least specify the Celery
  version affected).
• I have verified that the issue exists against the master branch of Celery.
• I have included the contents of pip freeze in the issue.
• I have included all the versions of all the external dependencies required
  to reproduce this bug.

Optional Debugging Information

• I have tried reproducing the issue on more than one Python version
  and/or implementation.
• I have tried reproducing the issue on more than one message broker and/or
  result backend.
• I have tried reproducing the issue on more than one version of the message
  broker and/or result backend.
• I have tried reproducing the issue on more than one operating system.
• I have tried reproducing the issue on more than one workers pool.
• I have tried reproducing the issue with autoscaling, retries,
  ETA/Countdown & rate limits disabled.
• I have tried reproducing the issue after downgrading
  and/or upgrading Celery and its dependencies.

Related Issues and Possible Duplicates

Related Issues

• Unable to create SSL broker/backend connection to redis #5371
• TLS-enabled Redis configuration: the ssl_cert_reqs is wrongly documented #5988

Possible Duplicates

• None

Environment & Settings

• Celery: 5.0.0
• Kombu: 5.0.2
• Redis: 3.5.3
• vine: 5.0.0
• billiard: 3.6.3.0

Steps to Reproduce

Required Dependencies

• Minimal Python Version: Python 3.6.5 :: Anaconda, Inc.
• Minimal Celery Version: 5.0.0
• Minimal Kombu Version: 5.0.2
• Minimal Broker Version: Redis Server 6.0.8
• Minimal Result Backend Version: Memory / Redis Server 6.0.8
• Minimal OS and/or Kernel Version: CentOS 7
• Minimal Broker Client Version: RedisPy 3.5.3
• Minimal Result Backend Client Version: Memory / RedisPy 3.5.3

Other Dependencies

Needs SSL certificates for Redis TLS setup - I used https://github.com/michaelklishin/tls-gen to create them

Minimally Reproducible Test Case

I have the following configs:

redis_ssl = 
broker_connection_retry = False
broker_transport_options = broker_transport_options
# result_backend_transport_options = broker_transport_options
broker_use_ssl = {
  'ssl_keyfile': '/home/centos/redis/tls-gen/basic/result/client_key.pem',
  'ssl_certfile': '/home/centos/redis/tls-gen/basic/result/client_certificate.pem',
  'ssl_ca_certs': '/home/centos/redis/tls-gen/basic/result/ca_certificate.pem',
  'ssl_cert_reqs': 'required',
}
# redis_backend_use_ssl = redis_ssl

CELERY_BROKER_URL = 'sentinel://127.0.0.1:29876'
CELERY_RESULT_BACKEND = 'cache+memory://'  # Used only for testing - even with Redis here, it doesnt work

With redis.conf:

bind 0.0.0.0
protected-mode yes
port 0

tls-port 9875
tls-cert-file /home/centos/redis/tls-gen/basic/result/server_certificate.pem
tls-key-file /home/centos/redis/tls-gen/basic/result/server_key.pem
tls-ca-cert-file /home/centos/redis/tls-gen/basic/result/ca_certificate.pem
tls-replication yes

daemonize yes
pidfile /home/centos/redis/redis.pid
logfile /home/centos/redis/redis.log
dir /home/centos/redis

With redis-sentinel.conf:

port 29876
tls-port 29875
tls-cert-file "/home/centos/redis/tls-gen/basic/result/server_certificate.pem"
tls-key-file "/home/centos/redis/tls-gen/basic/result/server_key.pem"
tls-ca-cert-file "/home/centos/redis/tls-gen/basic/result/ca_certificate.pem"
tls-replication yes

daemonize yes
pidfile /home/centos/redis/sentinel.pid
logfile /home/centos/redis/sentinel.log
dir /home/centos/redis

sentinel monitor mymaster 127.0.0.1 9875 1
sentinel deny-scripts-reconfig yes
sentinel config-epoch mymaster 6

Expected Behavior

I was expecting Celery to be able to connect to Sentinel, fetch the host and port of the Master.
And then use TLS to connect to the Redis Master.

Actual Behavior

It gives an error TypeError: __init__() got an unexpected keyword argument 'connection_pool'
Traceback:

 -------------- celery@ip v5.0.0 (singularity)
--- ***** -----
-- ******* ---- Linux-3.10.0-862.3.2.el7.x86_64-x86_64-with-centos-7.5.1804-Core 2020-11-02 14:00:50
- *** --- * ---
- ** ---------- [config]
- ** ---------- .> app:         corridor_api:0x7fce57b40860
- ** ---------- .> transport:   sentinel://IP:29876//
- ** ---------- .> results:     memory:///
- *** --- * --- .> concurrency: 1 (prefork)
-- ******* ---- .> task events: OFF (enable -E to monitor tasks in this worker)
--- ***** -----
 -------------- [queues]
                .> apilocal         exchange=apilocal(direct) key=apilocal
                .> celery           exchange=celery(direct) key=celery
[2020-11-02 14:00:50,595: CRITICAL/MainProcess] Unrecoverable error: TypeError("init() got an unexpected keyword argument 'connection_pool'",)

Traceback (most recent call last):

File "/opt/app/venv/lib/python3.6/site-packages/kombu/transport/virtual/base.py", line 918, in create_channel

return self._avail_channels.pop()

IndexError: pop from empty list
During handling of the above exception, another exception occurred:
Traceback (most recent call last):

File "/opt/app/venv/lib/python3.6/site-packages/redis/connection.py", line 1185, in get_connection

connection = self._available_connections.pop()

IndexError: pop from empty list
During handling of the above exception, another exception occurred:
Traceback (most recent call last):

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/worker.py", line 203, in start

self.blueprint.start(self)

File "/opt/app/venv/lib/python3.6/site-packages/celery/bootsteps.py", line 116, in start

step.start(parent)

File "/opt/app/venv/lib/python3.6/site-packages/celery/bootsteps.py", line 365, in start

return self.obj.start()

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 311, in start

blueprint.start(self)

File "/opt/app/venv/lib/python3.6/site-packages/celery/bootsteps.py", line 116, in start

step.start(parent)

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/consumer/connection.py", line 21, in start

c.connection = c.connect()

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 398, in connect

conn = self.connection_for_read(heartbeat=self.amqheartbeat)

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 405, in connection_for_read

self.app.connection_for_read(heartbeat=heartbeat))

File "/opt/app/venv/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 427, in ensure_connected

conn.connect()

File "/opt/app/venv/lib/python3.6/site-packages/kombu/connection.py", line 277, in connect

max_retries=1, reraise_as_library_errors=False

File "/opt/app/venv/lib/python3.6/site-packages/kombu/connection.py", line 439, in _ensure_connection

callback, timeout=timeout

File "/opt/app/venv/lib/python3.6/site-packages/kombu/utils/functional.py", line 325, in retry_over_time

return fun(*args, **kwargs)

File "/opt/app/venv/lib/python3.6/site-packages/kombu/connection.py", line 866, in _connection_factory

self._connection = self._establish_connection()

File "/opt/app/venv/lib/python3.6/site-packages/kombu/connection.py", line 801, in _establish_connection

conn = self.transport.establish_connection()

File "/opt/app/venv/lib/python3.6/site-packages/kombu/transport/virtual/base.py", line 938, in establish_connection

self._avail_channels.append(self.create_channel(self))

File "/opt/app/venv/lib/python3.6/site-packages/kombu/transport/virtual/base.py", line 920, in create_channel

channel = self.Channel(connection)

File "/opt/app/venv/lib/python3.6/site-packages/kombu/transport/redis.py", line 526, in init

self.client.ping()

File "/opt/app/venv/lib/python3.6/site-packages/redis/client.py", line 1378, in ping

return self.execute_command('PING')

File "/opt/app/venv/lib/python3.6/site-packages/redis/client.py", line 898, in execute_command

conn = self.connection or pool.get_connection(command_name, **options)

File "/opt/app/venv/lib/python3.6/site-packages/redis/connection.py", line 1187, in get_connection

connection = self.make_connection()

File "/opt/app/venv/lib/python3.6/site-packages/redis/connection.py", line 1227, in make_connection

return self.connection_class(**self.connection_kwargs)

File "/opt/app/venv/lib/python3.6/site-packages/redis/connection.py", line 828, in init

super(SSLConnection, self).init(**kwargs)

TypeError: init() got an unexpected keyword argument 'connection_pool'

[auvipy]

@AbdealiJK can you try to fix it following the traceback /site-packages/redis/connection.py", line 828, in init

super(SSLConnection, self).init(**kwargs)

TypeError: init() got an unexpected keyword argument 'connection_pool'

[AbdealiLoKo]

Thanks for following up @auvipy I have a fix which I am using
I had to patch redis-py, kombu, and celery - all 3 were required for it to work:

• AbdealiLoKo/redis-py@a907f6e
• AbdealiLoKo/kombu@5b66350
• AbdealiLoKo@914ef8b

I have also submitted a patch in redis-py with it (because the other 2 depend on the redis-py patch)

• sentinel: Add SentinelManagedSSLConnection redis/redis-py#1419

[auvipy]

can you please send PR on celery & kombu as well?

[AbdealiLoKo]

Here is the small reproducible examples for things not working with Sentinel+TLS:

For the Celery Result Backend:

import celery.utils.collections
import celery.backends.redis

redis_ssl = {
    'ssl_keyfile': '/home/centos/redis/tls-gen/basic/result/client_key.pem',
    'ssl_certfile': '/home/centos/redis/tls-gen/basic/result/client_certificate.pem',
    'ssl_ca_certs': '/home/centos/redis/tls-gen/basic/result/ca_certificate.pem',
    'ssl_cert_reqs': 'required',
}
sentinel_url = 'sentinel://127.0.0.1:26379'

class App:
    conf = celery.utils.collections.AttributeDict({
        "result_backend_transport_options": {'master_name': 'mymaster'},
        "redis_backend_use_ssl": redis_ssl,
        "result_serializer": 'pickle',
        "result_cache_max": -1,
        "result_expires": 60 * 60 * 24,
        "result_accept_content": None,
        "accept_content": ['pickle'],
    })

app = App()
backend = celery.backends.redis.SentinelBackend(app=app, url=sentinel_url)
backend.client.ping()

For the Kombu Broker:

import kombu.connection

redis_ssl = {
    'ssl_keyfile': '/home/centos/redis/tls-gen/basic/result/client_key.pem',
    'ssl_certfile': '/home/centos/redis/tls-gen/basic/result/client_certificate.pem',
    'ssl_ca_certs': '/home/centos/redis/tls-gen/basic/result/ca_certificate.pem',
    'ssl_cert_reqs': 'required',
}
sentinel_url = 'sentinel://127.0.0.1:26379'

conn = kombu.connection.Connection(
    sentinel_url,
    transport_options={'master_name': 'mymaster'},
    ssl=redis_ssl
)
conn.default_channel.client.ping()

[auvipy]

I think we can close this right? -- no this needs to be in 5.1

[sekrett]

For the Kombu Broker:

import kombu.connection

redis_ssl = {
    'ssl_keyfile': '/home/centos/redis/tls-gen/basic/result/client_key.pem',
    'ssl_certfile': '/home/centos/redis/tls-gen/basic/result/client_certificate.pem',
    'ssl_ca_certs': '/home/centos/redis/tls-gen/basic/result/ca_certificate.pem',
    'ssl_cert_reqs': 'required',
}
sentinel_url = 'sentinel://127.0.0.1:26379'

conn = kombu.connection.Connection(
    sentinel_url,
    transport_options={'master_name': 'mymaster'},
    ssl=redis_ssl
)
conn.default_channel.client.ping()

I tried today this code on kombu 5.3.1, does not work:
(104, 'Connection reset by peer')")

On redis server the are multiple errors:
Error accepting a client connection: error:0A00010B:SSL routines::wrong version number (conn: fd=18)

Which I believe means the client is not using TLS at all.
I was able to connect with redis-py, so my sentinels are working fine. But I need Celery to work, which also fails.

Should this your code work now or I need something different?