Heroku - Default Redis connection uses TSLS

[sumith]

What happened?

Heroku is now using default TLS connection for Redis. The current settings parameter only supports non-secure connection.

What should've happened instead?

The settings for production Heroku deployment should default to secure TLS connection using rediss://

Additional details

Adding
broker_use_ssl = {
"cert_reqs": ssl.CERT_NONE,
}
still throws raise ValueError(E_REDIS_SSL_CERT_REQS_MISSING_INVALID)

• Host system configuration:

  • Version of cookiecutter CLI (get it with cookiecutter --version):

  • OS name and version:

    On Linux, run

    lsb_release -a 2> /dev/null || cat /etc/redhat-release 2> /dev/null || cat /etc/*-release 2> /dev/null || cat /etc/issue 2> /dev/null

    On MacOs, run

    sw_vers

    On Windows, via CMD, run

    systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
    

    # Insert here the OS name and version
    

  • Python version, run python3 -V: 3.11.10

  • Docker version (if using Docker), run docker --version: N/A

  • docker compose version (if using Docker), run docker compose --version:

  • ...

• Options selected and/or replay file:
  On Linux and macOS: cat ${HOME}/.cookiecutter_replay/cookiecutter-django.json
  (Please, take care to remove sensitive information)

Logs:

$ cookiecutter https://github.com/cookiecutter/cookiecutter-django
project_name [Project Name]: ...

[qwerrrqw]

I'm a beginner, but I'm interested in this issue, may i work on this issue?

[dqunbp]

I have fixed the problem with this changes in production.py

REDIS_URL = env("REDIS_TLS_URL")
...
CELERY_REDIS_BACKEND_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
REDIS_SSL = env.bool("REDIS_SSL", default=False)
CELERY_BROKER_CONNECTION_RETRY_ON_STARTUP = True

if REDIS_SSL:
    CACHES["default"]["OPTIONS"]["CONNECTION_POOL_CLASS"] = (
        "redis.connection.SSLConnection"
    )
    CACHES["default"]["OPTIONS"]["SSL_CERT_REQS"] = None

[qwerrrqw]

I have fixed the problem with this changes in production.py

REDIS_URL = env("REDIS_TLS_URL")
...
CELERY_REDIS_BACKEND_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
REDIS_SSL = env.bool("REDIS_SSL", default=False)
CELERY_BROKER_CONNECTION_RETRY_ON_STARTUP = True

if REDIS_SSL:
    CACHES["default"]["OPTIONS"]["CONNECTION_POOL_CLASS"] = (
        "redis.connection.SSLConnection"
    )
    CACHES["default"]["OPTIONS"]["SSL_CERT_REQS"] = None

Thanks for the suggestion! I'd like to test and implement these changes.
Would it be okay if I add them to PR after testing?

[qwerrrqw]

``

I have fixed the problem with this changes in production.py

REDIS_URL = env("REDIS_TLS_URL")
...
CELERY_REDIS_BACKEND_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
REDIS_SSL = env.bool("REDIS_SSL", default=False)
CELERY_BROKER_CONNECTION_RETRY_ON_STARTUP = True

if REDIS_SSL:
    CACHES["default"]["OPTIONS"]["CONNECTION_POOL_CLASS"] = (
        "redis.connection.SSLConnection"
    )
    CACHES["default"]["OPTIONS"]["SSL_CERT_REQS"] = None

# Redis
# ------------------------------------------------------------------------------
REDIS_URL = env("REDIS_TLS_URL", default="redis://localhost:6379/0")
REDIS_SSL = env.bool("REDIS_SSL", default=False)

# Celery
# ------------------------------------------------------------------------------
CELERY_REDIS_BACKEND_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_CONNECTION_RETRY_ON_STARTUP = True

if REDIS_SSL:
    CACHES["default"]["OPTIONS"].update(
        {
            "CONNECTION_POOL_CLASS": "redis.connection.SSLConnection",
            "SSL_CERT_REQS": None,
        }
    )

From what you suggested, I modified it a little for readability and maintenance
Will it be okay?

[dqunbp]

@qwerrrqw Sorry, these settings work partially; they do not work with Redis caches.
These are my final edits inspired by Heroku docs: https://devcenter.heroku.com/articles/connecting-heroku-redis#using-the-built-in-redis-backend-support.
They work for Celery and Django's built-in Redis cache.

REDIS_URL = env("REDIS_TLS_URL")
CELERY_REDIS_BACKEND_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_USE_SSL = {"ssl_cert_reqs": ssl.CERT_NONE}
CELERY_BROKER_CONNECTION_RETRY_ON_STARTUP = True

# CACHES
# ------------------------------------------------------------------------------
CACHES = {
    "default": {
        "BACKEND": "django.core.cache.backends.redis.RedisCache",
        "LOCATION": REDIS_URL,
        "OPTIONS": {"ssl_cert_reqs": None},
    },
}

[nigfinch]

My Heroku celery scheduled tasks stopped working on October 14th ~ 5am
This was in the Heroku activity log:

heroku-redis: Update REDIS by heroku-redis
Oct 14 at 6:00 AM · v308

Is there any official fix ?
Thanks