GoDaddy SSL On Heroku doesn't work - ssl

I purchased my SSL certificate from GoDaddy.
I made the common name www.mywebsite.com.
In my DNS settings I have the website forwarding from the naked domain to the www.mywebsite.com.
I removed any settings inside Heroku regarding the SSL certificate from the GUI.
Then I went through the instructions here.
To recap, I generated my server.key by first creating the crs files and sending those to GoDaddy.
I purchased the $20/mo endpoint.
GoDaddy gives me a downloadable ZIP for my certificates, one with one certificate, and one with 3 certificates inside of it.
I run the following command to install the bundled version first with the following failing message that follows:
heroku certs:add server.crt server.key --type endpoint
No certificate given is a domain name certificate.
The reason I even tried to use the bundle is that my SSL doesn't work in firefox, and intermediary cert is not being included. After looking around for an answer on this, I couldn't find one.
So to get my website back up and running in the short term, I decided to just do what I did before, and upload the single cert. That works, but not really.
Now I get this message when I run the cUrl test:
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Also, my website is down. :(
How do I fix this?

The answer in my case seems to be that purchasing an SSL cert is not necessary on Heroku. When you purchase a paid hosting package they provide SSL certificates by default without having to buy their SSL add-on endpoint.
There are likely other use-cases for using a paid SSL cert, but in my case I didn't have to do that.
If this answer helped you please upvote this question as some people seem to think it's a question worth down voting.

Related

SSL issue. NET::ERR_CERT_DATE_INVALID

Previously I used RapidSSL certificate. After it expired I moved to Lets Encrypt (free ssl) and installed on my server. But site uses still old SQL certificate after couple of refreshes taking new SSL certificate and resources (css, images, scripts) are not loading gives NET::ERR_CERT_DATE_INVALID error.
I restarted Apache couple of times.
I'm using Ubuntu 16.04.
NET::ERR_CERT_DATE_INVALID means your SSL certificate date is invalid, that is because your old certificate has expired. Check your apache config to make sure that - certificate files mentioned are the desired ones. For detail debugging of your problem, you need to look at your apache server log could be located at /var/log/apache2.

Amazon Alexa Custom Skill using letsencrypt SSL Certificates

I am trying to publish my Alexa skill using Letsencrypt SSL Certificate.
Google Chrome does not show any warning icon if I browse to my https URL using letsencrypt certificate.
However, when I try to test using Alexa console, an error occurs as :
"SSL Handshake failed".
I see on Amazon Alexa forums that there is a buzz around letsencrypt support.
Some posts say it is supported and some say it isn't.
Could someone here clarify whether letsencrypt free SSL certificate is supported for building custom alexa skills ?
Download the contents of your fullchain.pem cert, from /etc/letsencrypt/live/<domain>/fullchain.pem on your server
On your skill config page, select the "SSL" Tab.
Mark "I will upload a self-signed certificate in X.509 format."
Paste the contents of your fullchain.pem file.
I was able to get a Let's Encrypt wildcard certificate working with an Alexa custom skill after choosing the option "My development endpoint is a sub-domain of a domain that has a wildcard certificate from a certificate authority" in the developer console.
I also had an issue with a Nginx reverse proxy configuration that caused a failure in the Alexa Simulator and provided no helpful error. Fortunately you can also use the Manual JSON option which yielded the error "Cannot establish SSL connection to your skill endpoint".
I was able to track the issue down to the ssl_ciphers value in the ssl.conf file. Even though it was compatible with the Intermediate Security recommended setting for TLS 1.2, I had to comment it out to make it work. I hope someone else can determine why Amazon servers reject the certificate when this setting is used, it could be that TLS 1.3 is now required.

OpenSSL in GitLab, what verification for self-signed certificate?

On Debian, using GitLab, I ran into issues with my self-signed certificate.
Reading through the code after a lot of searching on the Internet (I guess, it's the last resort, FOSS is helpful), I found the following lines in gitlab-shell/lib/gitlab_net.rb which left me... perplexed.
if config.http_settings['self_signed_cert']
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
Most Stack Overflow responses about the diverse issues I've had until now have led me to believe that VERIFY_NONE, as you'd expect, doesn't verify anything. VERIFY_PEER seems, based on my reading, to be the correct setting for self-signed.
As I read it, it feels like taking steps to secure my connection using a certificate, and then just deciding to not use it? Is it a bug, or am I misreading the source?
gitlab-shell (on the GitLab server) has to communicate to the GitLab instance through an HTTPS or SSH URL API.
If it is a self-signed certificate, it doesn't want any error/warning when trying to access those GitLab URLs, hence the SSL::VERIFY_NONE.
But, that same certificate is also used by clients (outside of the GitLab server), using those same GitLab HTTPS URLs from their browser.
For them, the self-signed certificate is useful, provided they install it in their browser keystore.
For those transactions (clients to GitLab), the certificate will be "verified".
The OP Kheldar point's out in Mislav's post:
OpenSSL expects to find each certificate in a file named by the certificate subject’s hashed name, plus a number extension that starts with 0.
That means you can’t just drop My_Awesome_CA_Cert.pem in the directory and expect it to be picked up automatically.
However, OpenSSL ships with a utility called c_rehash which you can invoke on a directory to have all certificates indexed with appropriately named symlinks.
(See for instance OpenSSL Verify location)
cd /some/where/certs
c_rehash .

The command heroku ssl says my domains have no certificate installed

I just want to say that this is not normally something I do, but I have been tasked with it recently...
I have followed the heroku documentation for setting up SSL closely, but I am still encountering a problem.
I have added my cert to heroku using the following command:
heroku certs:add path_to_crt path_to_key
This part seems to work. I receive a message saying:
Adding SSL Endpoint to my_app ... done
I have also setup a CNAME for my hosting service to point to the endpoint associated with the cert command above. However, when I browse to the site I still receive a SSL error. It says my certificate isn't trusted and points to the *.heroku.com license, not the one I have just uploaded.
I have noticed that when I execute the following command:
heroku ssl
I receive the following:
my_domain_name has no certificate
My assumption is that there should be a certificate associated with this domain at this point.
Any ideas?
Edit: It appears that I did not wait long enough for the certificate stuff to trickle through the internets... however, my question regarding the "heroku ssl" command still puzzles me.
The Heroku ssl command is for legacy certificates:
$ heroku ssl -h
Usage: heroku ssl
list legacy certificates for an app
The command you need is heroku certs which will output the relevant certificate info for that project.

Purchased and installed ssl certs but still indentified as *.herokuapp.com

I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.