Issue
A Ruby application is suddenly failing to connect to imap.gmail.com (or another IMAP server), and now throws an error like the following:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
This problem is occurring on the heroku-18 stack after a recent update to the stack image as announced on the Heroku Changelog.
Resolution
This issue is caused by your application now being capable of negotiating a TLSv1.3 connection with the server after an update of the OpenSSL library on the system to version 1.1.1.
The version of Ruby you are using is not sending Server Name Indication (SNI) information during a TLS handshake, and the server you're trying to connect to has chosen to reject such attempts by returning an invalid self-signed SSL certificate.
You must update your version of Ruby to a release which fixes this incompatibility with the TLSv1.3 specification. If you are using 2.6.x, then make sure you are using 2.6.3 or higher. If you are using 2.5.x, then make sure you are using 2.5.6 or higher. If you are using 2.4.x or below, you must upgrade to 2.5.x or higher.
If an upgrade of the Ruby version is not possible, you may instead
- change the stack of your application to an older version by running
and deploying a change, or$ heroku stack:set heroku-16 - forcing a maximum TLS version number in your
Net::IMAPconnection creation using themax_versionSSL context parameter:Net::IMAP.new("imap.gmail.com", { ssl => { max_version: OpenSSL::SSL::TLS1_2_VERSION }})