SSL not working with custom domain through Heroku and PointDNS - ssl

Currently hosting a PHP site on Heroku with a custom domain site that I bought through Hostgator. I've followed this https://stackoverflow.com/a/47930979/4470851 to get PointDNS set up for my custom domain, and this guide https://devcenter.heroku.com/articles/custom-domains to get the DNS Targets- I've set the given DNS targets as the CNAME alias through Hostgator, and now the custom domain is working, but I'm getting the insecure site warning through Chrome. I upgraded my Heroku Dyno to be a Hobby plan (per https://devcenter.heroku.com/articles/automated-certificate-management) so Heroku should be handling my SSL now. I'm getting the Firefox warning: "The certificate is only valid for the following names: *.herokuapp.com, herokuapp.com ".
This is not for a subdomain.

Got this working- for anyone else in the same boat, I had to also apply the DNS targets Heroku provided into the CNAME and ALIAS sections in PointDNS (they were set as .herokuapp.com addresses).

Related

How to set up ssl on heroku app with a GoDaddy domain

I have a herokuapp running with a GoDaddy custom domain, and I am trying to add an ssl. I followed the Heroku tutorial by upgrading to a hobby dyno and clicking on "configure ssl." I then chose the automatic option, and it told me to replace the DNS www.example.com with a long string that Heroku provided, but I am not sure where to do this. GoDaddy does not allow me to change the address to the string because it does not begin with www. Has anybody set up an ssl for a herokuapp with a GoDaddy custom domain who has experience with this?
I did it a while back.
I set up the SSL on Heroku by upgrading the dyno to paid and used their SSL. The hard part would just be connecting GoDaddy and Heroku together.
All you need to do is go to Heroku and add a custom domain and copy the DNS.
Go to your DNS settings in GoDaddy and create a new record.
Type = CNAME
NAME = WWW
Points to = [DNS FROM HEROKU]
That should be all.
You should have something like this:

Heroku Automated Certificate Management failed with one domain

I am trying to get the SSL certification for my app with Heroku, but the Automated Certificate Management is failing for one of both domain names.
I created the dyno before March 2017, so I had to run heroku certs:auto:enable as explained here.
Then, heroku domains returns:
Domain Name DNS Record Type DNS Target
─────────────── ─────────────── ─────────────────────────────
example.com ALIAS or ANAME example.com.herokudns.com
www.example.com CNAME www.example.com.herokudns.com
This seems to be in line with what heroku expects.
Anyway, heroku certs:auto returns:
Domain Status
─────────────── ────────────
example.com Failing
www.example.com OK
I admit that I am quite illiterate for settings concerning domains, DNS and so on. Therefore, this might be a very simple mistake from my side. However, I read the Heroku troubleshooting documentation and also similar questions in SO such as a this one or this one and still have no clue what is wrong.
The fact that www.example.com is OK but example.com is failing just confuses me even more. And unfortunately, I received a notification email with no failure reason.
Namecheap
I guess the problem is either on Heroku or where I bought the domain. That is Namecheap.com.
There, at the Domain tab I have:
NAMESERVERS Namecheap BasicDNS
REDIRECT DOMAIN Source URL Destination
example.com http://www.example.com
And at the Advanced DNS tab:
Type Host Value TTL
------------- ----- ------------------------------- -------
CNAME Record www example.com.herokudns.com Automatic
TXT Record # google-site-verification... Automatic
URL Redirect Record # http://www.example.com/ Unmasked
What am I doing wrong?
Update
The issue seems to be due to Namecheap. I found the following ticket on Heroku:
Issue
User is having trouble pointing their root domain (aka apex
domain/naked domain) to their Heroku app, either with setting the
right DNS records, or accessing it over HTTPS.
Resolution
Root domains on Heroku require the use of "CNAME-like" records, often
referred to as ALIAS or ANAME records.
Unfortunately, a number of popular DNS hosts such as GoDaddy,
Namecheap, Bluehost, and others do not support these types of records.
Instead they tend to offer the following:
A records
URL redirects / forwarding
There are caveats with both of these options...
Surprisingly, I did not find any place where all the steps were explained clearly. What I did so far is:
Open an account with a DNS host that supports this. I took DNSimple. At the time of writing, prices start from 5€/month but there is a trial month for free.
Transfering the domain costs 14€/year, so I just pointed the name servers at Namecheap to DNSimple and added the domain to DNSimple to create the DNS records.
Then came the configuration on DNSimple. I followed the step 1 in the documentation to redirect HTTP to HTTPs; ignored the step 2, since Heroku's ACM had already done it; and for the step 3 the article Pointing the Domain Apex to Heroku was very helpful. I added manually an ALIAS record and I also added a CNAME record, like this:
Type Name Content
───── ─────────────── ───────────────────────
ALIAS example.commyapp.com.herokudns.com
CNAME www.example.commyapp.com.herokudns.com
At the beginning nothing was working and the browser showed the following error:
This site can’t be reached
www.example.com’s server IP address could not be found.
Checking the troubleshotting documentation I saw that the only possibility was the Name server propagation delay, so I waited. It felt like a very long time, but it actually took less than one hour until the site got online again.
However, the SSL certification keeps failing more than 48 hours later...
For future reference: after contacting Heroku support, they manually refreshed my certificate request and it was finally issued for my app...
Check the answer here especially the CloudFlare solution as it is free
Automated certificate management also provisions you a free SSL cert
from https everywhere. You don’t need to buy a cert.
However namecheap won’t work with ACM because they don’t allow an
“alias” record for your “apex” domain I.e. your domain with no
subdomain so https://example.com not https://www.example.com
Your options are switch to a dns registrar that supports an “alias”
record such as dnsimple. They charge $5 a month in addition to the
domain registration fee.
Or alternatively use a free cloudflare instance which comes with SSL.
If you already bought a cert there is a way to upload it to Heroku via
an SSL addon.
I use both DNSimple/Heroku ACM on some apps and cloudflare on some
others. Both are equally nice but cloudflare is free and gives you a
CDN too.
https://www.reddit.com/r/Heroku/comments/7wh5r4/setting_up_ssl_with_heroku_namecheap/

Forwarding https://example.com to https://www.example.com

Trying to get
https://example.com
To not refuse the connection, to show my website, and to redirect to:
https://www.example.com
Without having to switch my DNS hosting to DNSimple or adding another service provider.
My domain was purchased on GoDaddy. DNS is on GoDaddy as well, set up as shown below.
My app is hosted on Heroku, using a Let's Encrypt certificate, that I installed following this answer.
Currently using Helmet+express-enforces-ssl to force hsts.
I have read the following info:
Heroku SSL on root domain ; Heroku SSL Endpoints ; The Limitations of DNS A-Records
The last of which states:
(...) applications requiring SSL encryption should use the
ALIAS/ANAME configuration on the root domain. Subdomain redirection
will cause a browser error when the root domain is requested over SSL
(i.e. https://example.com).
Which seems to be my problem (?).
How do I set this up on GoDaddy?

SSL certificate on Heroku

I have one domain purchased from GoDaddy.
lets say it is www.example.com, I have purchased wild card SSL certificate from GoDaddy for this domain.
This domain is pointing to one of my app on Heroku. When I type http://www.example.com, it is working fine. But when I type https://www.exapmle.com,
It says "web page not available" and error code is:
"ERR_CONNECTION_REFUSED".
So do I need to add SSL certificate on Heroku too? How https will work on my site when it's pointing to Heroku? Thank you in advance.
You need to upload your SSL certificate to Heroku with its CLI command heroku certs:add. Probably you also need to activate an SSL Endpoint addon ($20/month) and set your DNS CNAME pointing to it.
See https://devcenter.heroku.com/articles/ssl-endpoint#provision-the-add-on for details, and subsequent sections.

Point to CNAME to openshift throws certificate issue

I have my domain CNAME point to myapp-mynamespace.rhcloud.com however it throws this certificate error:
Doing rhc alias add proxy proxy.mynamespace.com would do the trick.
However, I just want to point arbitrary domain CNAME (like ww2 of xyz.com, abc.com or somedomain.com) to myapp-mynamespace.rhcloud.com
How do I get around this ssl issue, is it possible that when I point ww2 CNAME of xyz.com to my openshift app (myapp-mynamespace.rhcloud.com) it will not do https or ssl thing--just plain http.
You don't want a CNAME record, you want a web redirection, else the domain name will remain the one that points to rhcloud.com and the certificate will still be invalid for your web clients.
If you want to use SSL with your custom domain on OpenShift then you will need to upgrade to the Bronze or Silver plan and purchase an SSL certificate and install it for your alias.