A major SSL provider root certificate expired on May 30th, 2020, which has caused many applications to start receiving errors when making API calls to external services that have a certificate signed by the expired root certificate. The errors often follow this format:
#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)>
The CA certificates for Common Runtime stacks
heroku-16 and all newer stacks has been updated. If your application is running
heroku-16 or newer, you can restart your application to get the updates. Older stacks will require a stack upgrade.
If your application runs on Private Spaces, the new CA certificates are not available on
heroku-16. Your application must be updated to the
This resolution only applies in the case where the server certificate presented by the external service is cross-signed by multiple root CA certificates. If the service has an SSL certificate with a single trusted path and the root CA certificate expired it will require the service to update their SSL certificate.