Why can't my Ruby application connect to an IMAP server?

Issue

A Ruby application is suddenly failing to connect to imap.gmail.com (or another IMAP server), and now throws an error like the following:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

This problem is occurring on the heroku-18 stack after a recent update to the stack image as announced on the Heroku Changelog.

Resolution

This issue is caused by your application now being capable of negotiating a TLSv1.3 connection with the server after an update of the OpenSSL library on the system to version 1.1.1.

The version of Ruby you are using is not sending Server Name Indication (SNI) information during a TLS handshake, and the server you're trying to connect to has chosen to reject such attempts by returning an invalid self-signed SSL certificate.

You must update your version of Ruby to a release which fixes this incompatibility with the TLSv1.3 specification. If you are using 2.6.x, then make sure you are using 2.6.3 or higher. If you are using 2.5.x, then make sure you are using 2.5.6 or higher. If you are using 2.4.x or below, you must upgrade to 2.5.x or higher.

If an upgrade of the Ruby version is not possible, you may instead

  1. change the stack of your application to an older version by running
    $ heroku stack:set heroku-16
    
    and deploying a change, or
  2. forcing a maximum TLS version number in your Net::IMAP connection creation using the max_version SSL context parameter:
    Net::IMAP.new("imap.gmail.com", { ssl => { max_version: OpenSSL::SSL::TLS1_2_VERSION }})
    

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support