I have a React app running on a professional Heroku dyno. It has a custom domain with naked redirect, registered via GoDaddy.
Based on the Heroku instructions and other StackOverflow posts I've read, I thought I had everything configured properly. And indeed when I go to https://www.myapp.herokuapp.com I get the correct behavior. However, when I go to https://www.mywebsite.com, I still get:
Your connection is not private. Attackers might be trying to steal your information.
heroku domains is:
=== myapp Heroku Domain
myapp.herokuapp.com
=== myapp Custom Domains
Domain Name DNS Record Type DNS Target
www.mywebsite.com CNAME xxx-yyy-1234567.herokudns.com
That DNS address is what I've set my CNAME in GoDaddy to point to:
CNAME www xxx-yyy-1234567.herokudns.com 1 Hour
heroku certs is:
Name Common Name(s) Expires Trusted Type
────────────────── ────────────────── ──────────────────── ─────── ────
tyrannosaurs-66282 www.mywebsite.com 2020-08-15 10:32 UTC True ACM
Finally, my heroku certs:auto is:
=== Automatic Certificate Management is enabled on myapp
Certificate details:
Common Name(s): www.mywebsite.com
Expires At: 2020-08-15 10:32 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2020-05-17 10:32 UTC
Subject: /CN=www.mywebsite.com
SSL certificate is verified by a root authority.
Domain Status
────────────────── ───────────
www.mywebsite.com Cert issued
From what I can tell, everything is set up correctly. What am I missing?
One thing that could potentially be an issue: I originally tried to set up SSL manually by registering my site on Let's Encrypt. But stopped and switched to ACM after Heroku kept redirecting to va-acm, preventing confirmation.
Never mind, it did work, just takes a while to propagate. Leaving this Q up as a reference point so folks know what the correct configuration is.
Also, https always works for herokupapp. Has nothing to do with your ACM/DNS configuration.
Related
I am following the recommendations of Digital Ocean to configure several SSL certificates in Let´s Encrypt for more than one domain. Both domains have www subdomains.
The first domain I have configured with SSL is diesanromero.dev and the subdomain www.diesanromero.dev is also configured correctly. I followed the same steps for the freebooks.dev domain and everything turned out perfect, but when I try to use the www subdomain I get the following error:
Your connection is not private Attackers might be trying to steal your information from www.freebooks.dev (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID
Subject: freebooks.dev
Issuer: Let's Encrypt Authority X3
Expires on: Aug 12, 2020
Current date: May 14, 2020
Both subdomains are redirected to their respective domains. I renew the certificates and I don't get any console error, but when I try to enter www.freebooks.dev again I get the same error. Both www and # records point to the same IP. Also both domains point to the same IP in /etc/hosts.
Any idea what I am doing wrong?
Supposedly, this command should automagically setup SSL for your domain:
heroku certs:auto:enable
This worked fine for my domain "www.example.io" but not "example.io". Is there something special I have to do for this? Here's the output:
➜ ExamPleGit.clean git:(master) heroku certs:auto
=== Automatic Certificate Management is enabled on example
Certificate details:
Common Name(s): www.example.io
Expires At: 2018-01-22 15:04 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2017-10-24 15:04 UTC
Subject: /CN=www.example.io
SSL certificate is verified by a root authority.
Domain Status
────────────── ────────────
www.example.io DNS Verified
example.io Failing
=== Some domains are failing validation, please verify that your DNS matches: heroku domains
➜ ExamPleGit.clean git:(master) heroku domains
=== example Heroku Domain
example.herokuapp.com
=== example Custom Domains
Domain Name DNS Record Type DNS Target
────────────── ─────────────── ────────────────────────────
www.example.io CNAME www.example.io.herokudns.com
example.io ALIAS or ANAME example.io.herokudns.com
The way I fixed this was to simply redirect all traffic from example.io -> www.example.io in my domain providers control panel, so I didn't need to worry about SSL for that URL. For Namecheap, go to the Advanced DNS settings of your domain and add this entry:
URL Redirect Record # http://www.example.io/
Once that is done, then you can then setup node or PHP (via .htaccess file) to force all http -> https and give yourself an SSL secure site.
I cannot get ssl to work properly on my heroku app.
I have successfully add the crt key witch gives me:
Resolving trust chain... done
Updating SSL Endpoint aichi-7001.herokussl.com for mysite... done
Updated certificate details:
Common Name(s): mysite.com
www.mysite.com
Expires At: 2013-11-03 23:59 UTC
Issuer: /OU=Domain Control Validated/OU=Free SSL/CN=www.mysite.com
Starts At: 2013-08-05 00:00 UTC
Subject: /OU=Domain Control Validated/OU=Free SSL/CN=www.mysite.com
SSL certificate is verified by a root authority.
but when i try to load the page on the browser, i get the following message:
This is probably not the site you are looking for!
You attempted to reach www.mysite.com.br, but instead you actually reached a server identifying itself as *.herokuapp.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.mysite.com.br.
You should not proceed, especially if you have never seen this warning before for this site.
Any ideias on where did I mistake?
You need to add the domain www.mysite.com to your Heroku app like so:
$ heroku domains:add www.mysite.com
Added www.mysite.com to example... done
I keep getting ssl certificate error from google web master tool like below.
Dear Webmaster, The host name of your site, https://myapp.com/, does not match any of the "Subject Names" in your SSL certificate, which were:
*.herokuapp.com
herokuapp.com
This will cause many web browsers to block users from accessing your site, or to display a security warning message when your site is accessed. To correct this problem, please get a new SSL certificate by a Certificate Authority (CA) with a "Subject Name" or "Subject Alternative DNS Names" that matches your host name. Thanks, The Google Web Crawling Team
I set ssl to my heroku app by following instructions of Heroku dev center.
https://devcenter.heroku.com/articles/ssl-certificate
https://devcenter.heroku.com/articles/ssl-endpoint
I also am using rack_rewrite for 301 redirect for redirecting from naked domain to www subdomain.
It seems everything is going fine from browser, when I access naked domain, it will redirect to https://www.myapp.com without any SSL error.
output from heroku are like below
heroku certs --remote production
Endpoint Common Name(s) Expires Trusted
---------------------- ---------------------------------- -------------------- -------
XXXXXXXX.herokussl.com www.myapp.com, myapp.com 2013-08-05 00:20 PHT True
heroku certs:info --remote production
Fetching information on SSL endpoint XXXXXXX.herokussl.com... done
Certificate details:
subject: /serialNumber=XXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
start date: (some date)
expire date: (some date)
common name(s): www.myapp.com, myapp.com
issuer: /serialNumber=XXXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
SSL certificate is verified by a root authority.
domain settings
Type NAME TTL Points to
ALIAS myapp.com 3600 xxxxxx.herokussl.com
CNAME www.myapp.com 3600 xxxxxx.herokussl.com
Why I keep getting the error from Google?
Naked Domains are not supported. See the documentation section at Heroku Endpoint SSL
I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.