APNs SSL Certificate Verification Issue in Development (APNs 2025 Certificate Update)

[JangoCG]

When trying to send push notifications to Apple Push Notification Service (APNs) in development, I'm encountering SSL certificate verification errors:

ActionPushNative::ConnectionError (SSL_connect returned=1 errno=0 peeraddr=[...]:443 state=error: certificate verify failed (unable to get certificate CRL))

This appears to be related to Apple's 2025 APNs certificate update (USERTrust RSA Certification Authority), which has CRL (Certificate Revocation List) availability issues with OpenSSL 3.x.

Current Workaround

I've implemented a workaround that disables SSL verification in development environments only by monkey patching the session:

# config/initializers/action_push_native.rb
if Rails.env.development?
  Rails.application.config.after_initialize do
    ActionPushNative::Service::Apns::HttpxSession.class_eval do
      alias_method :original_initialize, :initialize

      def initialize(config)
        @session = \
          HTTPX.
            plugin(:persistent, close_on_fork: true).
            with(pool_options: {max_connections: config[:connection_pool_size] || self.class::DEFAULT_POOL_SIZE}).
            with(timeout: {request_timeout: config[:request_timeout] || self.class::DEFAULT_REQUEST_TIMEOUT}).
            with(origin: config[:connect_to_development_server] ? self.class::DEVELOPMENT_SERVER_URL : self.class::PRODUCTION_SERVER_URL).
            # this is the important line
            with(ssl: {verify_mode: OpenSSL::SSL::VERIFY_NONE})
        @token_provider = ActionPushNative::Service::Apns::TokenProvider.new(config)
      end
    end
  end
end

WARNING: This workaround is only active in development and should never be used in production.

Questions

1. Is this a known issue with the APNs 2025 certificate update?
2. Is there a better solution for local development than monkey patching the session to fix the SSL verification? I assume that properly configuring macOS’s system trust store (e.g., updating the Apple root certificates or switching to the system OpenSSL) would resolve this without disabling SSL verification but I did not get that to work. It worked with ruby and the the interpreter but never with rails. It's late now and I gave up on that for now...
3. Should action_push_native handle this automatically, or is this expected behavior that developers need to work around?

Environment

• Ruby: 3.4.5 (Installed with MISE)
• Rails: 8.1.1
• OpenSSL: 3.x
• OS: macOS

Related

• Apple Developer Forums - APNs Certificate Update
• Apple's announcement mentions that 3rd party push providers need to handle this certificate update

Thank you for your time and any guidance you can provide!