So I've been using Amazon CloudFront as a CDN on my Ruby on Rails app on heroku for sometime. Today I updated my SSL certificate (comodo positivessl wildcard) and from the browser's end it looks like the the certificate is correctly installed.
However, I noticed that the site wasn't loading correctly and then i got a bunch of 502 errors on my developers console. I then went into CloudFront to update the certificate, waited for the updates to deploy, and here we are a few hours later and my site still isn't connecting properly.
I use a custom cname for my site (which worked fine before today).
Can anyone tell me how to go about checking if the certificate is installed correctly on CLoudFront?
Related
I have been going around and around with this issue. I can create a dev-cert using dotnet dev-certs https --trust but the certificate only appears in the Personal certificates folder. If I try copying it to the Trusted folder it disappears on refresh. I have watched videos of people doing this on YouTube and it works so I'm not sure what is wrong with my PC/install.
Running my code and hitting the route in Postman returns a 500 error and UntrustedRoot.
I have tried this using a local user account and my admin account. I have also tried creating a certificate and importing it using OpenSSL following guides I have found, but still no luck.
I am running Windows 10 Pro on a new build PC. Windows was a clean install with a new licence.
I really don't want to have to purchase a signed certificate just to do development on localhost as that seems a bit overkill.
Any suggestions?
tl;dr try disabling your anti-virus before creating certificate!
I finally stumbled upon the answer; my anti-virus, WebRoot. I was following a YouTube tutorial on how to add a custom certificate to Kestrel and in doing so I discovered that WebRoot was blocking access to the hosts file. Disabling the av allowed me to update that file but also, it then allowed trusting of the dev-cert generated by dotnet dev-certs https --trust.
Not sure how I can prevent this in future other than temporarily disable the av before creating a certificate. Frustrating that the av doesn't warn me and there doesn't appear to be an obvious setting to allow this to happen.
To start with I really don't want to pay for hobby dyno on heroku. I am well aware of their ACM process. I am trying to be a little careful with spends as I am testing something.
My current setup is as follows:
Namecheap (domain xyz.com) -> xyz.herokuapp.com (with DNS Name configured correctly)
This is configured correctly and works great for HTTP. I have a task at hand to obtain certifactes from LetsEncrypt (because they are free), and integrated it to app deployed on heroku.
The app is a simple react-app, built using create-react-app. I have followed the steps to obtain a certificate from LetsEncrypt, and the certbot is asking me to place the certificate in this path public/.well-known/acme-challenge/<cert-string>. The content of the file in that path contains the .
The problem I am having is, the route localhost:3000/.well-known/acme-challenge/<cert-string> works well in my dev environment. When I deployed the react app to heroku, the route /.well-known/acme-challenge/<cert-string> is heading to a 304 and I am unable to facilitate the certbot to complete the validation step.
After a few hours of debugging I understood the architecture inside heroku better, and I have understood that this is a heroku buildpack related problem. My current understanding of the issue is as follows:
heroku blocks access to /.well-known/acme-challenge/<cert-string>
and I have to find a way to unblock this ^ .. so that certbot can validate my cert process.
I did some research and understood that there is a way to by-pass the nginx.conf. Is this really possible?
Looking for some guidance here.
Edit1
I have tried some approaches here https://github.com/heroku/heroku-buildpack-php/issues/218 - they did not work well.
I have a problem when using a custom CNAME and SSL/HTTPS for a CloudFront distribution. I set up a CloudFront distribution to use as a CDN on my WordPress site, using the W3TC plugin to configure things.
I imported an SSL certificate from my hosting provider to use with the CloudFront distribution. I also configured a CNAME at my hosting for the distribution (e.g., "cdn.example.com") to use in place of the CloudFront domain name (e.g., "d1234.cloudfront.net").
After setting all this up I immediately noticed that all the images were just broken image links. Right-clicking an image to open it in a new browser window resulted in the browser warning me that "the connection is not private" and that the website "may be impersonating cdn.example.com". The source showed that none of the CloudFront CDN resources were being loaded. Chrome reported "Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID" for several resources.
After experimenting I found that if, I stopped using the CNAME (by removing it from the W3TC plugin field) and used the CloudFront domain name (i.e., "d1234.cloudfront.net") instead, everything worked all right. So images loaded successfully from d1234.cloudfront.net, where they wouldn't from cdn.example.com.
I have another site that is set up exactly the same except it doesn't use SSL/HTTPS: the use of a custom CNAME for the CloudFront distribution there doesn't cause any problems at all.
So the problem with CloudFront seems to appear when I try to use SSL/HTTPS and a custom CNAME.
The Chrome error report seems to indicate that there's a problem with the SSL certificate that I imported (what, I don't know - I'm not at all clued-up with SSL certificates). If that's the cause of the problem, should I get a certificate from AWS to enable the use of a custom CNAME? If so, what should I stipulate for the certificate? And I'm not sure how that works having two certificates - one for my domain and another for CloudFront?
It sounds like you may have missed adding your CNAME to the Cloudfront distribution, i.e. under 'Alternate Domains Names':-
(I know this is an old question but as it stands unresolved and I just hit the same issue, I think this might help others)
Below are the issues.
Certificate does not match issuers name
Google Chrome browser error
Address error due Certificate Mismatch
Please check SSL generated for domain is valid and uploaded same to cloudfront.
This is my first time getting an SSL certificate for my website. I followed this tutorial https://devcenter.heroku.com/articles/automated-certificate-management
heroku certs:auto displays that Status is "Cert issued". I get no errors. I use git push and the website is still not certified. What could I be doing wrong?
Old question, but if anyone else runs into this problem, which I was just battling myself, here was my problem:
When following the Heroku dev center guide on how to point a custom domain to your herokuapp, the guide says, among other things:
"Create a CNAME record to map from www.example.com to example.herokuapp.com or your SSL endpoint if using SSL."
Neither one of these alternatives are, however, the way to go now (SSL endpoint is considered legacy at Heroku). Instead, once you have added your custom domain correctly, simply:
In Heroku CLI, run "heroku certs:auto:enable" to enable ACM.
Point your domain's DNS records at the Heroku DNS target for your custom domain, which you can find by running "heroku domains"
Wait a little.
This should do it.
I have an application on Heroku. I cname-redirect https://login.zenconomy.se to https://boomeranglogin.herokuapp.com/
I get the following (yellow) error in chrome:
This is probably not the site you are looking for!
You attempted to reach login.zenconomy.se, but instead you actually reached a server identifying itself as *.herokuapp.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of login.zenconomy.se.
You should not proceed, especially if you have never seen this warning before for this site.
Why?
If you want to use SSL and HTTPS on Heroku with a custom hostname (like login.zenconomy.se), you have to purchase the SSL endpoint add-on, get a certificate and configure the setup as described on Dev Center.