Connections to the Apple Push Notification Service (APNs) at https://api.push.apple.com fail with TLS certificate errors like:
x509: certificate signed by unknown authority
PKIX path building failed
SunCertPathBuilderException: unable to find valid certification path to requested target
These errors are caused by the APN service's use of the legacy
GeoTrust Global CA root certificate, which has been distrusted by several widely-used CA root stores as part of a multi-year phase-out program. Most recently the GeoTrust Global CA root certificate was removed from the Ubuntu
ca-certificates package, which is the root store used by Heroku's stack images.
ca-certificates package was released to Common Runtime apps on February 8th, 2021, and will be released to Private Spaces apps during their space's next maintenance cycle (typically every 2 weeks).
This issue also occurs outside of Heroku - for example, connections also fail using the official Ubuntu Docker image:
$ docker run --rm -it ubuntu:20.04 bash root@1b98119cc104:/# apt-get update -qq root@1b98119cc104:/# apt-get install -yqq curl ... root@1b98119cc104:/# curl -I https://api.push.apple.com curl: (60) SSL certificate problem: unable to get local issuer certificate
Apple are due to switch to a supported Certificate Authority on March 29th, 2021, which will fix this issue:
Until that time, the legacy GeoTrust Global CA root certificate must be manually configured for apps connecting to APNs.
This certificate can be downloaded from the GeoTrust Root Certificates website - direct link: GeoTrust_Global_CA.pem
For Heroku apps using Java, this CA certificate can be added to the JDK root store bundled within the app - see adding custom certificates.
For Heroku apps using other languages, these generally use the stack image root store directly (which cannot be modified), so will either need to:
- Manually specify the above CA when creating/configuring their APNs push client library.
- File an issue against their APNs push client library, asking them to bundle the CA cert directly, so the client works out of the box.
For more information on specific clients, see:
We also recommend filing a ticket against Apple, to raise awareness of this compatibility issue.
For more background on this issue, see: