Why am I getting an SSL_connect error when calling external services?

Issue

A major SSL provider root certificate expired on May 30th, 2020, which has caused many applications to start receiving errors when making API calls to external services that have a certificate signed by the expired root certificate. The errors often follow this format:

#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)>

Resolution

The CA certificates for Common Runtime stacks heroku-16 and all newer stacks has been updated. If your application is running heroku-16 or newer, you can restart your application to get the updates. Older stacks will require a stack upgrade.

If your application runs on Private Spaces, the new CA certificates are not available on heroku-16. Your application must be updated to the heroku-18 stack.

This resolution only applies in the case where the server certificate presented by the external service is cross-signed by multiple root CA certificates. If the service has an SSL certificate with a single trusted path and the root CA certificate expired it will require the service to update their SSL certificate.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support
Terms of Service Privacy Cookies © 2020 Salesforce.com