I'm trying to set up SSL Automated Certificate Management with Heroku. I have my domain with Gandi and am having troubles setting the DNS target.
How Heroku says it should be set up:
Domain Name DNS Target
mydomain.com mydomain.com.herokudns.com
www.mydomain.com www.mydomain.com.herokudns.com
So ideally in Gandi I would have
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# CNAME mydomain.com.herokudns.com
However, you cannot assign a root domain to a CNAME record, so the second line there wouldn't work.
Another way to do it could then be to use an A record
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# A 1.2.3.4 (IP Address of my site)
But again this doesn't work because the IP address of Heroku hosted sites can change.
So I thought I found a work around, by forwarding mydomain.com to www.mydomain.com through Gandi's web forwarding. For my DNS Records I just have:
Name Type Value
www CNAME www.mydomain.com.herokudns.com
So now the website works, I can access it by going to www.mydomain.com or mydomain.com, but now my SSL certification isn't working!
My site still says "Your connection to this site is not secure"
When I check the status on Heroku I get:
Domain Status
─────────────── ───────
www.mydomain.com OK
mydomain.com Failing
I basically just learned most of how DNS works today, so I could be doing this completely wrong.
Any help is appreciated!
It's possible (and cheaper) to use heroku ssl certificate with gandi... You just need to be sure to set up a subdomain everytime. I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. As soon as the statues are ok for all of your subdomains, dont forget to force_ssl in your app, so every http request will be redirected to https. U can do it like this:
# config/environments/{staging,production}.rb
config.force_ssl = true
VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.
Once all of this is done, U see the satifying green lock on every pages of your app :D.
Ok, so apparently it is impossible to use Heroku's SSL certificate with Gandi, so I ended up going with Gandi's SSL certificate instead. If anyone needs a tutorial here's a great one by Le Wagon
https://vimeo.com/209534466
Just a follow up for this question with my experience. I purchased a domain name from Gandi and use permanent web forwarding to forward the domain name to my heroku application. I also add custom domain(the one I bought) to heroku console.
Domain Name DNS Record Type DNS Target
───────────────── ─────────────── ───────────────────────
xshogi.com.tw ALIAS or ANAME xshogi.com.tw.herokudns.com
www.xshogi.com.tw CNAME www.xshogi.com.tw.herokudns.com
I could not successfully adopt heroku ACM to configure my domain even though I had paid for hobby plan.
I followed the tutorial video that Johnnybib posted.
create server.crs and server.key in project with openssl req -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.csr
go to purchase SSL certificate page in Gandi
cat server.csr and paste it to Gandi console
pay and wait for authentication done to finish this bill
download .crt and .pem certificate and concatenate them together into all.crt
use heroku certs:add --app xshogi all.crt server.key
Also, remember to change CNAME www from webredir.vip.gandi.net. to xshogi.com.tw.herokudns.com.
All set up and wait for a short while, I can curl https://www.xshogi.com.tw. I can also connect to https://www.xshogi.com.tw in browser and the URL does not change to https://xshogi.herokuapp.com.
You can actually use heroku's SSL serts.
What you can do in Gandi is redirect to https://www.yoursite.com :)
Considering that you changed your DNS settings to the ones heroku provided.
Related
I purchased my SSL certificate from GoDaddy.
I made the common name www.mywebsite.com.
In my DNS settings I have the website forwarding from the naked domain to the www.mywebsite.com.
I removed any settings inside Heroku regarding the SSL certificate from the GUI.
Then I went through the instructions here.
To recap, I generated my server.key by first creating the crs files and sending those to GoDaddy.
I purchased the $20/mo endpoint.
GoDaddy gives me a downloadable ZIP for my certificates, one with one certificate, and one with 3 certificates inside of it.
I run the following command to install the bundled version first with the following failing message that follows:
heroku certs:add server.crt server.key --type endpoint
No certificate given is a domain name certificate.
The reason I even tried to use the bundle is that my SSL doesn't work in firefox, and intermediary cert is not being included. After looking around for an answer on this, I couldn't find one.
So to get my website back up and running in the short term, I decided to just do what I did before, and upload the single cert. That works, but not really.
Now I get this message when I run the cUrl test:
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Also, my website is down. :(
How do I fix this?
The answer in my case seems to be that purchasing an SSL cert is not necessary on Heroku. When you purchase a paid hosting package they provide SSL certificates by default without having to buy their SSL add-on endpoint.
There are likely other use-cases for using a paid SSL cert, but in my case I didn't have to do that.
If this answer helped you please upvote this question as some people seem to think it's a question worth down voting.
I am currently using CloudFlare and recently added an SSL certificate to my script.
Before hand, I added an A record (proxied with CloudFlare) that pointed to my TS IP. It worked like this: ts.domain.net:PORT
However, after I added the SSL cert, it doesn't seem to work anymore.
If it matters, my main site IP is also (of course) proxied under CloudFlare
Thanks!
Every certificate contains one or more Subject Alternative Names. You can use the certificate only on domains that are listed as SAN within the certificate, as long as you don't have a wildcard certificate that can be used on a all subdomain, eg. *.mydomain.net.
Therefore for your TS server you need a certificate that contains the SAN ts.domain.net. If your current certificate is only for domain.net you need another certificate for your Teamspeak subdomain.
Is it possible to have many SSL certificates in the single Heroku Application ?
We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.
There is a way to have multiple SSL endpoints routing traffic to the same app.
An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.
You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:
Add your domain name to your app:
$ heroku domains:add ssl.example.com
Create a new app:
$ heroku create endpoint-for-example-com
Add the SSL endpoint add-on ($20/mo):
$ heroku addons:create ssl:endpoint --app endpoint-for-example-com
Add your certificate to your new app:
$ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint
Resolving trust chain... done
Adding SSL Endpoint to endpoint-for-example-com... done
endpoint-for-example-com now served by kagawa-1482.herokussl.example.com
Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.
The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.
Notes:
This solution is not documented by Heroku, so it's possible that they
would remove or change this behaviour in the future. Heroku have confirmed that this is safe for production use.
Be sure to create your endpoints in the same region as your primary app.
It might take a while for your DNS changes to take effect.
Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.
Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot
certbot certonly --standalone -d example.com -d www.example.com -d test.net
You can refer to this heroku doc for uploading custom certificates.
While not the exact same as OP's question, I was able to achieve this on Heroku with a single SAN (Subject Alternative Name) certificate for about $25/year.
I generated a CSR with multiple subject alternative names (subjectAltName) in OSX by:
Copying /System/Library/OpenSSL/openssl.cnf to the current directory, and amending the relevant sections ([req] and [v3_req]):
[req]
req_extensions = v3_req
[v3_req]
subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com
Then I used this new .cnf when generating the CSR:
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config openssl.cnf
I purchased the cert from SSLs.com. Their Comodo "PositiveSSL Multi-Domain" is $25.99/yr as of this writing and support from 3-100 domains (domains over 3 cost something like $12).
I concatenated the CA bundle and .crt that I was sent into a single .crt (in that order) and added it to Heroku. All 3 domains were added to the app and pointed to the same CNAME, and all resolve over https:// as expected.
Much cheaper than $240/yr for an additional endpoint, if this is a viable route for anyone interested.
Relevant links:
https://stackoverflow.com/a/8520510/630614
http://apetec.com/support/GenerateSAN-CSR.htm
I'm dealing with this myself. Heroku suggests getting a SAN/UCC certificate, which lets you list multiple several domains. Just did it with GoDaddy and it's working fine so far.
https://devcenter.heroku.com/articles/ssl-endpoint#serving-multiple-domains
We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.
I keep getting ssl certificate error from google web master tool like below.
Dear Webmaster, The host name of your site, https://myapp.com/, does not match any of the "Subject Names" in your SSL certificate, which were:
*.herokuapp.com
herokuapp.com
This will cause many web browsers to block users from accessing your site, or to display a security warning message when your site is accessed. To correct this problem, please get a new SSL certificate by a Certificate Authority (CA) with a "Subject Name" or "Subject Alternative DNS Names" that matches your host name. Thanks, The Google Web Crawling Team
I set ssl to my heroku app by following instructions of Heroku dev center.
https://devcenter.heroku.com/articles/ssl-certificate
https://devcenter.heroku.com/articles/ssl-endpoint
I also am using rack_rewrite for 301 redirect for redirecting from naked domain to www subdomain.
It seems everything is going fine from browser, when I access naked domain, it will redirect to https://www.myapp.com without any SSL error.
output from heroku are like below
heroku certs --remote production
Endpoint Common Name(s) Expires Trusted
---------------------- ---------------------------------- -------------------- -------
XXXXXXXX.herokussl.com www.myapp.com, myapp.com 2013-08-05 00:20 PHT True
heroku certs:info --remote production
Fetching information on SSL endpoint XXXXXXX.herokussl.com... done
Certificate details:
subject: /serialNumber=XXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
start date: (some date)
expire date: (some date)
common name(s): www.myapp.com, myapp.com
issuer: /serialNumber=XXXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
SSL certificate is verified by a root authority.
domain settings
Type NAME TTL Points to
ALIAS myapp.com 3600 xxxxxx.herokussl.com
CNAME www.myapp.com 3600 xxxxxx.herokussl.com
Why I keep getting the error from Google?
Naked Domains are not supported. See the documentation section at Heroku Endpoint SSL
I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.