Unable to manually upload SSL certificate for Heroku app - ssl

I used letsencrypt to generate the certificate and the private key. All tested fine. The I used heroku cert:add to add the cert and private key to my app:
sudo heroku certs:add --type=sni /etc/letsencrypt/live/appname.com-0001/fullchain.pem /etc/letsencrypt/live/appname.com-0001/privkey.pem --app appname
The command worked a few months back, and now it just show the following:
Usage: heroku certs:add CRT KEY
then it will stop executing. So What should I do to add the cert and private key to Heroku?? Thank you so much.

I resolve the issue by removing --type=sni in the original command, then everything works fine now.

Related

Error loading rsa private key - MUP to Deploy Meteor App at Digital Ocean w/SSL

I have a Meteor app I am deploying to a Digital Ocean Ubuntu server via MUP. It works great without SSL, but I can't figure out the SSL part.
I Purchased a Comodo SSL Cert. They sent me 4 .crt files. I can the following command:
cat cert1.crt cert2.crt cert3.crt mydomain.crt > ssl.pem
I then put that ssl.pem file in the root directory locally. Added "ssl": {"pem":"./ssl.pem"} to my mup.json file and ran mup setup -- everything is succesful until:
[45.55.225.190] x Verifying SSL Configurations (ssl.pem): FAILED
-----------------------------------STDERR-----------------------------------
Trying to initialize SSL contexts with your certificatesError loading rsa private key
-----------------------------------STDOUT-----------------------------------
----------------------------------------------------------------------------
I'm not even sure how to troubleshoot this. I ran a quick find on the server and the ssl.pem is there, so mup successfully sent the file over, but it seems stud is not verifying the file or not finding it?
Turns out I was running into two different problems. First, you have the put the certificate files in a very specific order. Second, I was not including my key file. The command to create the .pem file needed was:
cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt mydomain.nopass.key > ssl.pem
This blog post at DeveloperSide.NET helped me tremendously.

OpenShift with Comodo SSL

I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.

uploading ssl certificate to heroku

I've set everything up to secure my domain with ssl, I've received a certificate from my provider and I added the endpoint addon to heroku, however I'm having difficulties with uploading the certificates to heroku..
I have the following files:
CompleteCABundle.crt
www.domainname.crt
and some generated server.key and server.pass.key files.
I've tried to upload these to heroku with the certs:add command but so far it does not seem to be working.
What steps should be taken and which files exactly should be uploaded to heroku?
I haven't used Heroku before but I imagine a problem could be that you haven't combined the CA Bundle and your domain's certificate together into a single file before trying to upload them.
According to the Heroku docs here: https://devcenter.heroku.com/articles/ssl-endpoint there are only two arguments to the certs:add command.
You can combine the two .crt files with the following:
cat www.domainname.crt CompleteCABundle.crt > total-crt-chain.crt
Then try certs:add again (with this new bundle and your private key) and maybe see if this works.

Heroku ssl certs: Key could not be read since it's protected by a passphrase

I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate
Copy server.key & server.orig.crt from DNSimple
Get root CA certificate with $ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
Concatenate into one file with cat server.orig.crt rapidssl_bundle.pem > server.crt
So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key. This gives the error
Key could not be read since it's protected by a passphrase.
The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:
1b. $ mv server.key server.orig.key
1c. $ openssl rsa -in server.orig.key -out server.key
However this gives the error
unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
Which I suspect means there is no private key found.
Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?
I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.
I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:
$ heroku certs:add server.crt bundle.pem server.key
no matter what I did, I got this error:
$ Adding SSL Endpoint to mysite... failed
! Key could not be read since it's protected by a passphrase.
! Read instructions on how to remove the passphrase on:
! http://www.madboa.com/geek/openssl/#key-removepass`
I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.
First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.
The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli
Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.
Struggled with this issue for days! Until I came across this thread and followed the upgrade advice. The first thing I had to do is
gem uninstall heroku --all
I answered 'Yes' to the keep executable question, because of another post I had read on stackoverflow. I then went to https://toolbelt.herokuapp.com/ and installed the toolbelt (even though heroku --version was saying that it was installed). Upgraded it to heroku-toolbelt 2.39.0. Retried the following command and it worked:
heroku certs:add cert.cer bundle.pem server.key
Maybe i'll finally get some sleep tonight :)
This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.
I used TextMate instead and everything is working fine.
An old toolbelt installation was my problem on windows.
Even though heroku update changed the version number from 2.30.1 to 2.39.0, a heroku version showed it wasn't updating correctly for some reason.
I reinstalled the toolbelt from https://toolbelt.herokuapp.com/ and tried it again, and everything worked.
heroku version now says this for me, and the certs:add works correctly:
heroku-gem/2.39.0 (i386-mingw32) ruby/1.9.2
I now got the same error, even with a recent heroku/7.47.6 (from npm).
The reason turned out to be that I got an elliptic-curve certificate from Let's Encrypt, the private key file contained:
-----BEGIN EC PRIVATE KEY-----
That's not supported according to https://devcenter.heroku.com/articles/acquiring-an-ssl-certificate:
Heroku only supports RSA keys for certs. Elliptic curve keys are not supported.
Once I obtained an RSA cert, it worked.
(specifically, dehydrated now defaults to --algo secp384r1, I had to provide --algo rsa. But the idea should be same with other tools/CAs, you need an RSA cert.)
To me the issue was that 1Password changed newlines in the certificates into spaces, and replacing spaces back into newlines helped (in the cert body, of course, not in the ----BEGIN CERTIFICATE---- part).
So check your cert/key contents, this may be very well an issue of formatting.

The command heroku ssl says my domains have no certificate installed

I just want to say that this is not normally something I do, but I have been tasked with it recently...
I have followed the heroku documentation for setting up SSL closely, but I am still encountering a problem.
I have added my cert to heroku using the following command:
heroku certs:add path_to_crt path_to_key
This part seems to work. I receive a message saying:
Adding SSL Endpoint to my_app ... done
I have also setup a CNAME for my hosting service to point to the endpoint associated with the cert command above. However, when I browse to the site I still receive a SSL error. It says my certificate isn't trusted and points to the *.heroku.com license, not the one I have just uploaded.
I have noticed that when I execute the following command:
heroku ssl
I receive the following:
my_domain_name has no certificate
My assumption is that there should be a certificate associated with this domain at this point.
Any ideas?
Edit: It appears that I did not wait long enough for the certificate stuff to trickle through the internets... however, my question regarding the "heroku ssl" command still puzzles me.
The Heroku ssl command is for legacy certificates:
$ heroku ssl -h
Usage: heroku ssl
list legacy certificates for an app
The command you need is heroku certs which will output the relevant certificate info for that project.