Im currently building an application that will reside at app.mydomain.com which is running on Heroku. All users will have their own entry points, like app.mydomain.com/client1, app.mydomain.com/client2, etc. I want clients to be able to setup their own domain (www.clientdomain.com) and cname it to their entry point. I understand this is pretty straight forward up until now.
All my DNS is handled by Cloudflare and I believe I can configure Cloudlfare into Full (Strict) mode, all I need to do is install their Origin Cert onto my Heroku dyno. This will ensure that all direct connects to my domain will be secure (going to app.mydomain.com/client1).
Question is, how does a client go about getting an SSL'ed connection for their domain; do I need to get a multidomain cert and start adding domains to it as I get clients, or am i supposed to install their cert onto Heroku (I believe I can only install 1 so thats a no go) or is it supposed to live on Cloudflare somewhere, or are there additional options I'm not seeing (I hope there are!).
Im not wondering what to do for my own domains, but rather, how do clients setup an SSL connection with their domains that resolve onto my servers.
This is rather perplexing!
The flow would be (I think):
User Browser -> Clients DNS -> (cname to) My Cloudflare -> Heroku
Hmm, it looks like this might be a pretty solid solution to this issue...
https://blog.cloudflare.com/introducing-ssl-for-saas/
Edit - after clarification
I'm currently building an application that will reside at
app.mydomain.com which is running on Heroku. All users will have their
own entry points, like app.mydomain.com/client1,
app.mydomain.com/client2, etc. Question is, how does a client go about
getting an SSL'ed connection for their domain; do I need to get a
multidomain cert and start adding domains to it as I get clients?
If you are going to use the same Heroku app for all of your clients (I think this is a bad idea by the way, but you might be required to) - then yes - you should get a multi-domain certificate and keep adding domains to it as your list of clients expand.
Original answer - which explains SSL + Load Balancing on Heroku.
Im currently building an application that will reside at
app.mydomain.com which is running on Heroku. I was clients to be able
to setup their own domain www.clientdomain.com and cname it to mine.
You will need a wildcard certificate to cover your subdomain (for the app.mydomain.com). You'll have use that cert in heroku.
...all I need to do is install their Origin Cert onto my Heroku dyno.
You are correct - except it's not on your Heroku dyno, it's on your Heroku app endpoint. There's a good read here: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate
If you do your load balancing on the TCP or IP layer (OSI layer 4/3,
a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL
certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly
install the certificate on the load balancer alone, and use plain
un-encrypted HTTP over the local network between the load balancer and
the webservers (for best performance on the web servers).
So you should install your SSL certificate to your Heroku endpoint and let Heroku handle the rest.
Question is, how does a client go about getting an SSL'ed connection;
do I need to get a multidomain cert and start adding domains to it as
I get clients, am i supposed to install their cert onto Heroku (I
believe I can only install 1 so thats a no go) or is it supposed to
live on Cloudflare somewhere?
If you're referring to adding servers to your service from heroku, all you need to do is increase the number of web-dynos. Heroku will handle the load balancing in between these dynos. Your SSL certificate should be resolved in the load balancer so your dynos will be serving requests for the same endpoint. You shouldn't need another SSL certificate for the endpoint you've defined - as long as you're serving traffic from multiple dynos attached to it.
Related
I have a website, example.com, that has a subdomain called play.example.com which hosts a multiplayer game on it.
Separately, I have an Elastic Beanstalk environment that hosts the game server (NodeJs backend), separate from the client build itself.
play.example.com connects to the game server over https, but is met with the error: ERR_CERT_COMMON_NAME_INVALID.
Steps I have taken:
1) Created an SSL certificate for *.example.com using AWS Certificate Manager
2) Added a listener to my load balancer that listens on port 443
3) Created an alias, type A IPv4 with the name play.example.com to the EB url
I understand the the error means that there is a name mismatch between the URL and the certificate, but isn't that what the alias is supposed to fix?
Thanks for any suggestions.
Okay, I've spent about a week now trying to fix these issues myself, and unfortunately Stackoverflow is full of people asking this question and nobody's giving answers.
Here's how I solved it, some of this might work for you too. It ended up being primarily configuration issues.
Your SSL cert is appropriate - I ended up hardcoding my subdomain ops.example.com but your wildcard shouldn't be an issue.
I read somewhere that AWS requires any DNS records to be of type CNAME, so I set up a basic CNAME record to redirect ops to my-site.my-aws-region-1.elasticbeanstalk.com
Then, what ended up being the linchpin to the whole thing was that in order to make HTTPS work, your load balancer has to be Listening for HTTPS on 443 and route to the instance via HTTP on 80.
Amazon was trying to tell me this, but because I was a noob and because their tutorials are some of the worst tutorials I've read in my entire career, they actually don't expose any of your secure ports to the internet. Which is actually fine because your traffic is encrypted all the way up to the load balancer, and then after that, even though it's not HTTPS anymore, it's all already on amazon's servers anyway so it's not any less secure.
Hope something in here helps!
I need to point thousands of TLDs to the same Rails app hosted in Heroku.
So far I have automated the process of adding domains to CloudFlare and Heroku, but SSL has proven to be a challenge.
Heroku has ACM on by default, which will fail when the CF orange cloud is on (which I need on).
I can't turn ACM off with Flexible SSL in CloudFlare because I need SSL from edge to origin.
I can't use an Origin CA because Heroku only supports 1 certificate per app (not per domain) and I'm going to be well over 100 domains. I also don't want to have to manage multiple certificates which contain multiple TLDs and re-generate the certificate with every single domain in it every time I add a new domain.
Question: Is there a downside to just pointing www and # to my-app.herokuapps.com?
So far it works perfectly from a DNS perspective with Full SSL in CloudFlare, even though it says in Heroku docs that the herokudns.com strategy is encouraged. I just wanted to ensure there aren't any deprecations or hidden limits that will suddenly make this stop working after I've committed to it.
I'm also open to any other solutions.
I am trying to lunch new servers automatically when needed but I am having some difficulty getting the certificate before making the server live. What I want to do is run a setup script which gets all the packages, websites and certificates ready and after that add the server to production. However, Letsencrypt wants me to verify that the server requesting the certificate is actually the website which replies to requests. How can I get the Letsencrypt certificate before adding the server to production? I don't want requests to the real website to be routed to the new server until it is fully setup and has the certificates.
One solution I thought of is to save the certificates on an AWS S3 bucket and synchronize them whenever a renewal is needed. Then when I setup a new server I just get the latest certificate from my AWS S3 bucket and I don't have to worry about getting the certificate from the CA until after the server is added to production.But this solution doesn't seem "clean" and would require me to have an S3 bucket just for my Letsencrypt certificate which also adds another weakness where a certificate could be stolen from.
Is there a more simple solution which I haven't thought of yet?
In a load-balanced (LB) scenario, you should consider having exactly one entity responsible for performing LE certificate acquisition. Things get complicated with multiple entities doing this asynchronously - you'd need to be able to guarantee that the ACME challenges get routed to the relevant server(s), and your LB doesn't have that information (without additional complexity).
So I'd suggest either:
Terminating HTTPS at your load-balancer. Then none of your servers need to care about HTTPS or certificates.
Having one "special" server that's responsible for interacting with LE, and then distributing the cert to the other servers. The details of how you do that is implementation-dependent, because it depends on how you're managing server/service configuration.
I want to connect a custom domain to an app built on Heroku. Can someone confirm that I actually need to buy a certificate and in addition buy the SSL addon on Heroku?
Do I need both or is one of them enough? What is the point of the addon?
/Knut
If you are already using paid dynos (e.g. Hobby dynos) then you can save some costs by using Heroku SSL for free in your app, instead of paying for the SSL Endpoint add on.
This is assuming your app doesn't need to support really old browsers (see Minimum supported browser versions.
These add ons basically provide the protocol support your app needs for SSL with your private domain.
However, regardless of which of the above 2 you choose, you will still need to acquire in addition an SSL certificate. There are all kinds of different offerings for the actual certificate, including free certificates e.g. from Let's Encrypt.
See here for instructions on using a free Let's Encrypt certificate on Heroku with Heroku SSL.
Bottom line: If you are already using paid dynos, it should be possible for you to add full SSL support for your custom Heroku domain for free.
If however you find the above too bewildering, you might want to pay a few bucks for a service such as Expedited SSL, which gives you a certificate (for a monthly fee) and takes care of the whole issue of installing it and keeping it updated on Heroku.
Heroku has made it even easier to use SSL for custom domains now assuming you're not on the free tier plan (if you pay for at least one dyno you're good to go).
https://blog.heroku.com/announcing-automated-certificate-management
Basically, once you have a paid plan for your app., Heroku will generate the certs for you and any custom domains you have added. Then you need to check that you have the right forwarding setup by your domain provider etc.
To add ssl to an existing app you can run:
$ heroku certs:auto:enable -a <app name>
Then run the following command and make sure your custom domains are returned:
$heroku domains
I'm not the most advanced AWS user there is, and have come across a bit of a roadblock.
I've got 2 Elastic Beanstalk Environments, each with a Load Balancer, 2 EC2 instances and they share a RDS instance. One environment is for Development and the other for Production.
I have purchased a wildcard SSL certificate from Thawte, and would like to install it on both the Development and Production environments. I've gone through other threads about adding SSL certificates in AWS, but the admin interface has changed since they were written so I've been going round in circles trying to figure it out.
Also, do I install the same SSL certificate on both Load Balancers? Or is it a case of only having one load balancer and redirecting traffic depending on the domain?
Thanks
You will need two load balancers, one for each environment. For uploading the certificate, it sounds like you are creating your Beanstalk environment through the console. In that case, after you create the environment, go to the EC2 tab, then 'Load Balancers', then 'Listeners'. Edit that, change the protocol to https. You'll see there is a place to change the certificate:
That will give you a place to upload the certificate:
Now that the cert is there, you can use the Elastic Beanstalk configuration to change future environments to use that cert: