Free SSL setup on Heroku for a react-app using LetsEncrypt - ssl

To start with I really don't want to pay for hobby dyno on heroku. I am well aware of their ACM process. I am trying to be a little careful with spends as I am testing something.
My current setup is as follows:
Namecheap (domain xyz.com) -> xyz.herokuapp.com (with DNS Name configured correctly)
This is configured correctly and works great for HTTP. I have a task at hand to obtain certifactes from LetsEncrypt (because they are free), and integrated it to app deployed on heroku.
The app is a simple react-app, built using create-react-app. I have followed the steps to obtain a certificate from LetsEncrypt, and the certbot is asking me to place the certificate in this path public/.well-known/acme-challenge/<cert-string>. The content of the file in that path contains the .
The problem I am having is, the route localhost:3000/.well-known/acme-challenge/<cert-string> works well in my dev environment. When I deployed the react app to heroku, the route /.well-known/acme-challenge/<cert-string> is heading to a 304 and I am unable to facilitate the certbot to complete the validation step.
After a few hours of debugging I understood the architecture inside heroku better, and I have understood that this is a heroku buildpack related problem. My current understanding of the issue is as follows:
heroku blocks access to /.well-known/acme-challenge/<cert-string>
and I have to find a way to unblock this ^ .. so that certbot can validate my cert process.
I did some research and understood that there is a way to by-pass the nginx.conf. Is this really possible?
Looking for some guidance here.
Edit1
I have tried some approaches here https://github.com/heroku/heroku-buildpack-php/issues/218 - they did not work well.

Related

Unable to trust ASP.NET SSL dev certificate

I have been going around and around with this issue. I can create a dev-cert using dotnet dev-certs https --trust but the certificate only appears in the Personal certificates folder. If I try copying it to the Trusted folder it disappears on refresh. I have watched videos of people doing this on YouTube and it works so I'm not sure what is wrong with my PC/install.
Running my code and hitting the route in Postman returns a 500 error and UntrustedRoot.
I have tried this using a local user account and my admin account. I have also tried creating a certificate and importing it using OpenSSL following guides I have found, but still no luck.
I am running Windows 10 Pro on a new build PC. Windows was a clean install with a new licence.
I really don't want to have to purchase a signed certificate just to do development on localhost as that seems a bit overkill.
Any suggestions?
tl;dr try disabling your anti-virus before creating certificate!
I finally stumbled upon the answer; my anti-virus, WebRoot. I was following a YouTube tutorial on how to add a custom certificate to Kestrel and in doing so I discovered that WebRoot was blocking access to the hosts file. Disabling the av allowed me to update that file but also, it then allowed trusting of the dev-cert generated by dotnet dev-certs https --trust.
Not sure how I can prevent this in future other than temporarily disable the av before creating a certificate. Frustrating that the av doesn't warn me and there doesn't appear to be an obvious setting to allow this to happen.

Heroku ACM SSL says Cert issued but certificate won't show on the website

This is my first time getting an SSL certificate for my website. I followed this tutorial https://devcenter.heroku.com/articles/automated-certificate-management
heroku certs:auto displays that Status is "Cert issued". I get no errors. I use git push and the website is still not certified. What could I be doing wrong?
Old question, but if anyone else runs into this problem, which I was just battling myself, here was my problem:
When following the Heroku dev center guide on how to point a custom domain to your herokuapp, the guide says, among other things:
"Create a CNAME record to map from www.example.com to example.herokuapp.com or your SSL endpoint if using SSL."
Neither one of these alternatives are, however, the way to go now (SSL endpoint is considered legacy at Heroku). Instead, once you have added your custom domain correctly, simply:
In Heroku CLI, run "heroku certs:auto:enable" to enable ACM.
Point your domain's DNS records at the Heroku DNS target for your custom domain, which you can find by running "heroku domains"
Wait a little.
This should do it.

Why using NGINX or how to deploy Meteor app correctly?

I am going to finish my Meteor app in a few weeks. So the problem that I will face - how to make my app available to other people.
Firstly I bought a droplet on Digital Ocean. And started to read about the ways to deploy meteor app to production server.
I found 2 totally different ways to do that!
The first one is pretty simple (and so I really love it). Here is the link. I have to do a few steps - create a droplet with Ubuntu 14.04, then connect to this droplet via ssh, then install and run mup. After that anybody can access to my app. I worry, that there is no ssl support (my project is e-commerce, so I really need https-connection), but then I found in mup docs a short article How to set up SSL with Mup. So everything is perfect at first glance.
But then I found another way to deploy meteor app. Here is link. It is much more complicated. First I need to install node and mongo on my droplet. Then install and configure nginx. And then after many steps comes Meteor installation. Author don't explain why people need do deploy app this way, assuming that it is obviously to everyone. His explanation is "The problem with this is that it isn’t wise to run an application like Meteor through your public port (which is 80)".
I admit I have no experience and knowledge in such questions. The one thing that I can say exactly is that I need a really proper way to deploy e-commerce meteor app. And it doesn't matter I won't sleep many hours by doing this.
So question is: which one way is proper? And (it is important) why?
Either security and performance are important for this project. I am also going to use prerender.io or spiderable (for seo purposes) and fast render, if it can have an influence on your answers. and really thank you for answers guys!
You can deploy your Meteor App on server via different mechanism . There are lots of way to do the same thing.
Like as you said you also found two ways to do that.
So in first link you used Meteor up for deployment your application as you successfully deployed .
In second approach you need to first login to the server and than create user than install everything needed to your server machine after that you need to setup Nginx.
So as i guess your question is related to "Nginx" . And you want to know
1)Why we need to use Nginx
2)Which one is the better approach
So answer for your first question is as follows:-
Nginx (pronounced "engine x") is a web server that is used for many purpose mainly use for proxy pass. Means using nginx you can redirect your request from one url to another and the actual url is hidden from the UI (For securety purpose and for redirection).
Like in meteor your app is by default running on 3000 so one way is that you can open 3000 port and run your application on that port. But via nginx you can run your app on 80 port and as user hit any event than in nginx you can configure address where you want to send your request.
Like you can send them to 3000 port.
So now user don't know in actual where is your request going on because you show them port 80 but in actual your request is go to 3000 port. So this is the one advantage of using nginx same there are lots more.
So for configuration of nginx you just need to install nginx if you are using ubuntu than via simple command-:
sudo apt-get install nginx
then setting in nginx configuration file that is under the following directory:-
/etc/nginx/sites-enabled/default
just open this file and setup up your configuration here like:-
server {
listen 80;
server_name localhost;
root /home/parveen/meteor/app;
location / {
index /index.html;
}
location /api {
proxy_pass http://localhost:3000;
}
}
In this way you can configure your nginx setting as you want please read nginx documentation for detail.
After that you need to start your server using forever or nohup which you want to use so that your server will not stop as you exit from the login of server.
Conclusion:-
In the second approach you need to install everything by yourself via ssh login to your server than configuration of nginx and and then run your server.
If you do any changes than again you need to update your changes to server and then stop meteor app then restart that. But this is more secure approach and you can do what you want to do.
In first approach they are using mup (Meteor up) that do so many of works for you . You just need to do some configuration you can use Docker or as define in the blog (droplet) link you shared and just need to run meteor up command and that will first create a bundle for your app than run that so in the first approach if you do any changes than you not need to login again to your server update changes , what you need to do is just run again the same command and that will create new bundle with updates and run your project. But i don't think that is more secure.
So its depend on your requirement and choice which you want to use.
If you have any question than most welcome.
Hope this would help!
Thanks

Heroku Bad response from SSL Endpoint provider

Good morning,
I am attempting to update my SSL certificate on Heroku but keep on getting a error:
! Bad response from SSL Endpoint provider. Please try again later.
I have gone though the steps to create a bundle multiple times with no luck. From what I can tell this can mean there is an issue with my certificate or that there is an issue with Herokus services. There is mention of the SSL Doctor tool provided by Heroku, but the Github repo says to use the Toolkit but I have not been able to find any documentation on what the command is or how to use it.
I thought about removing my current SSL key but I have been at this for weeks and I don't want SSL to be down for that long.
Anyone experience this before, or know how to use SSL Doctor (or if SSL Doctor will even help).
Thanks in advance!
I ran into the same problem. It turns out - I was using the Heroku gem to handle the operations. All I had to do was uninstall the Heroku gem, and then install the latest toolbelt from Heroku. The worst part about this problem was that it failed silently. :(

Added RapidSSL certificate for Heroku with DNS through Badger, but it's still "SSL mismatching" when browsed

Yesterday, I added a RapidSSL certificate, but going to supplybetter.com still gives an SSL mismatch warning, and the heroku certificate rather than mine is being presented. I'd like to get this working and get rid of the warning as soon as possible.
To get the certificate, I followed the instructions in this tutorial, with the exception that there was no analogue to "../ssldir/myapp_mydomain_com_chain.key" in step 16, so I used the _chain-less .key file, the only one I had. My PEM is composed of my CRT followed by the intermediate CRT, with spacing / newlines correct after checking.
My DNS is through Badger.com, which interacts with Heroku; current records shown below. This post recommends adding a cname that I don't have, but there's no way for Badger to do that without uninstalling the Heroku plugin; it only allows one input, a "_______.herokuapp.com" address, and does the rest.
Results of heroku certs and ssl
matt$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ -------------------------------------- -------------------- -------
osaka-8681.herokussl.com www.supplybetter.com, supplybetter.com 2014-03-09 23:27 UTC True
matt$ heroku ssl
supplybetter.com has no certificate
www.supplybetter.com has no certificate
This question has been submitted to Badger and Heroku support; if there's not an accepted answer, I don't yet have a solution. Thank you for your help!
--
Heroku support:
"Hey,
So the tutorial you are following was for our legacy feature ssl:hostname which has been removed in place of ssl:endpoint. Running heroku certs, I see that your cert has been added properly. However, there is one final step, you need to point your CNAME to your ssl:endpoint osaka-8681.herokussl.com
Once you do that, just wait for the DNS to propagate and you should be good to go."
Issue now is that badger doesn't have a way I see of adding non-subdomain cnames, and their heroku app only takes things in ____.herokuapp.com format.
DNS does not support CNAME records for the domain apex ("non-subdomain"). Heroku docs recommend not using the apex domain. You DNS provider may provide a redirect-function from domain.com to www.domain.com that you can take advantage of.
DNSimple has a feature that let's you use the apex on Heroku, but you'd have to switch away from badger: http://support.dnsimple.com/questions/32831-How-do-I-point-my-domain-apex-to-Heroku
Badger support manually implemented the 3 A records that I needed, plus the correct CNAME to point to osaka.herokussl.com. My major mistake was that when faced with Badger's format to enter CNAMEs, _.domain.com, I didn't realize www would work. It's now propigated and working well.
Learned:
As of 3/8/13, Badger's Heroku plugin can't support custom domains, but they're possible to add manually
Badger support is very responsive