I have an application on Heroku that currently does not use ACM.
Our customers provide us a domain, point their DNS to the provided CNAME, and then provide us a SSL certificate to upload manually.
We would like to cut out the SSL portion as it's a huge burden for people. It appears Heroku ACM can take care of this for us.
My concern is with existing domains / certificates.
What will happen to them if I enable ACM?
I'd imagine they get taken care of with a tiny bit of downtime, but don't want to get into a spot where we've broke their domain and no longer have the certificates they provided us.
I need to point thousands of TLDs to the same Rails app hosted in Heroku.
So far I have automated the process of adding domains to CloudFlare and Heroku, but SSL has proven to be a challenge.
Heroku has ACM on by default, which will fail when the CF orange cloud is on (which I need on).
I can't turn ACM off with Flexible SSL in CloudFlare because I need SSL from edge to origin.
I can't use an Origin CA because Heroku only supports 1 certificate per app (not per domain) and I'm going to be well over 100 domains. I also don't want to have to manage multiple certificates which contain multiple TLDs and re-generate the certificate with every single domain in it every time I add a new domain.
Question: Is there a downside to just pointing www and # to my-app.herokuapps.com?
So far it works perfectly from a DNS perspective with Full SSL in CloudFlare, even though it says in Heroku docs that the herokudns.com strategy is encouraged. I just wanted to ensure there aren't any deprecations or hidden limits that will suddenly make this stop working after I've committed to it.
I'm also open to any other solutions.
Im currently building an application that will reside at app.mydomain.com which is running on Heroku. All users will have their own entry points, like app.mydomain.com/client1, app.mydomain.com/client2, etc. I want clients to be able to setup their own domain (www.clientdomain.com) and cname it to their entry point. I understand this is pretty straight forward up until now.
All my DNS is handled by Cloudflare and I believe I can configure Cloudlfare into Full (Strict) mode, all I need to do is install their Origin Cert onto my Heroku dyno. This will ensure that all direct connects to my domain will be secure (going to app.mydomain.com/client1).
Question is, how does a client go about getting an SSL'ed connection for their domain; do I need to get a multidomain cert and start adding domains to it as I get clients, or am i supposed to install their cert onto Heroku (I believe I can only install 1 so thats a no go) or is it supposed to live on Cloudflare somewhere, or are there additional options I'm not seeing (I hope there are!).
Im not wondering what to do for my own domains, but rather, how do clients setup an SSL connection with their domains that resolve onto my servers.
This is rather perplexing!
The flow would be (I think):
User Browser -> Clients DNS -> (cname to) My Cloudflare -> Heroku
Hmm, it looks like this might be a pretty solid solution to this issue...
https://blog.cloudflare.com/introducing-ssl-for-saas/
Edit - after clarification
I'm currently building an application that will reside at
app.mydomain.com which is running on Heroku. All users will have their
own entry points, like app.mydomain.com/client1,
app.mydomain.com/client2, etc. Question is, how does a client go about
getting an SSL'ed connection for their domain; do I need to get a
multidomain cert and start adding domains to it as I get clients?
If you are going to use the same Heroku app for all of your clients (I think this is a bad idea by the way, but you might be required to) - then yes - you should get a multi-domain certificate and keep adding domains to it as your list of clients expand.
Original answer - which explains SSL + Load Balancing on Heroku.
Im currently building an application that will reside at
app.mydomain.com which is running on Heroku. I was clients to be able
to setup their own domain www.clientdomain.com and cname it to mine.
You will need a wildcard certificate to cover your subdomain (for the app.mydomain.com). You'll have use that cert in heroku.
...all I need to do is install their Origin Cert onto my Heroku dyno.
You are correct - except it's not on your Heroku dyno, it's on your Heroku app endpoint. There's a good read here: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate
If you do your load balancing on the TCP or IP layer (OSI layer 4/3,
a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL
certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly
install the certificate on the load balancer alone, and use plain
un-encrypted HTTP over the local network between the load balancer and
the webservers (for best performance on the web servers).
So you should install your SSL certificate to your Heroku endpoint and let Heroku handle the rest.
Question is, how does a client go about getting an SSL'ed connection;
do I need to get a multidomain cert and start adding domains to it as
I get clients, am i supposed to install their cert onto Heroku (I
believe I can only install 1 so thats a no go) or is it supposed to
live on Cloudflare somewhere?
If you're referring to adding servers to your service from heroku, all you need to do is increase the number of web-dynos. Heroku will handle the load balancing in between these dynos. Your SSL certificate should be resolved in the load balancer so your dynos will be serving requests for the same endpoint. You shouldn't need another SSL certificate for the endpoint you've defined - as long as you're serving traffic from multiple dynos attached to it.
I would like to set some SSL certificates for one app I have on heroku (a simple application based on nodeJS + Vue).
I know if I upgrade to the Hobby Plan (7$ for month) I can have it automatically.
But for now it would too much money for a test application, so I am wondering if I can achieve some similar goal also with a Free Plan.
so:
Is it possible to set SSL certificate for an app on Heroku JUST with the Free Plan?
Maybe in a complicated/tricky way via CLI?
From the Heroku pages and documentation it looks not possible.
But I have to ask :)
Here I have a better approach to deal with this. As Heroku Doesn't provide SSL for Free Plan.
But You can use Cloudflare which gives free SSL.
You can Use Cloudflare As Bridge For SSL.
Requirement:
Cloudflare Account
Your Application should not have inbuild SSL redirection (like redirect-ssl)
Otherwise, This will result in Too Many Redirect Error
Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.
Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here
Here You will get Some SSL Security Issue.
Step 3: Now Change Your SSL/TLS encryption mode to Flexible (Not Full). *Important
Now Understand the Working:-
Client(Browser) Make Request to https://example.com
First, the request reaches the Cloudflare with SSL. (User see encrypted connection to the server.)
Then Cloudflare makes request to Heroku Server(Origin) with Non-SSL (Non-Https and Unencrypted).
Then Heroku Server (Origin) returns the Response with Non-SSL to Cloudflare.
At the end Cloudflare forward the request to Client (Browser.)
You might think, What is the benefit of just encrypting half system.
but "Something is better then nothing".
You are here because you don't want to spent money on heroku paid dynos.
This method is better for those who is using http. Atleast it protects the most vulnerable side (client side). Where most of the attack happen. There is very less chances of attack between cloudflare and your server. Because of network reach.
Having less vulnerable probability is better then 100% vulnerable system
I have tested this method and working on https://www.auedbaki.com
Late response but I'm adding here I just spent an hour trying to setup SSL with Heroku - resulting in a dead end.
The bottom line is that Heroku mentions they offer free SSL certificates but that's really not the case unless you have a Hobby ($7/mo) or Pro plan.
This link has more details and feedback from other users facing the same issue.
The answer above about LetsEncrypt is incorrect. Although you can get a free certificate, it cannot be included in a free Heroku app.
Other users have pointed to this article with a step-by-step guide but the guide is outdated and the 'Labs' option mentioned does not work with Heroku anymore.
see comments below for some alternative suggestions
In my specific case, I was able to get a free SSL on zeit.
Here's how you get FULL SSL using Cloudflare for FREE.
Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.
Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here. Here You will get Some SSL Security Issue.
Step 3: Now Change Your SSL/TLS encryption mode to Full
Step 4: In your DNS settings, you’ll want to create a CNAME: yourdomain.com -> yourapp.herokuapp.com.
(I learned about the general approach here https://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ Although it's old, it still works.
I had this issue also. I wanted to set up a custom domain for my free account on Heroku for my React App. I searched so much info on the web and read loads of documents from Heroku support.
The conclusion is that on the Heroku free account, a custom domain name with SSL certificate cannot be setup. If you need SSL with your custom domain name, you need to upgrade to any of their paid hosting accounts.
Heroku does provide SSL certificate for their free account as long as it is not using a custom domain name. So the standard free account URL will be something like this "https://your-app-name.herokuapp.com"
NB. Google Firebase allows free hosting and Custom Domain name with SSL, for up to a certain amount of traffic before charging. For testing an app, this will be a perfect alternative. I am using it. And it was easy to set up my custom domain.
I hope this saves you hours of searching.
Since you don't make explicit if you need to apply the SSL certificate to a custom domain, I think it's necessary to say that according to the Heroku documentation:
Apps using free dynos can use the *.herokuapp.com certificate if they
need SSL.
https://devcenter.heroku.com/articles/ssl
Maybe future readers could find this answer helpful...
If you are using
1]free heroku,
You can't use 1)free ssl or 2)paid ssl
2]paid heroku
1)you get free ssl 2)you can use paid ssl also
Solution
1]get paid heroku
2]move to netlify or other alternatives
Free SSL in Heroku doesn't exist, or let me just say that it's impossible to achieve it on a free plan.
For you to be able to include any form of third party SSL in Heroku, be it paid SSL or Free Third Party SSL, you have to change to Hobby or Professional dynos for the SSL to work.
An easier option, if you're using Heroku, there's no need to buy a third party SSL. Just change to Hobby or Professional dynos.
For you to be able to change the dyno type, select your app, go to sources section on the upper part, just bellow it, click on the Change Dyno Type button.
Hobby Dyno will cost you $7 a month while Professional Dyno will cost you $25 - $500 a month.
After all that, remember to go to your Rails App:
Go to; .../config/environments/production.rb
--> Uncomment the following line:
# config.force_ssl = true
---> To:
config.force_ssl = true
After that, you'll be able to achieve your SSL but not FREE.
If you don't mind hosting your frontend on another service you can host it in Vercel, with free SSL, while you keep your backend at Heroku. Quite straightforward!
https://vercel.com/
One way around this could be setting up a proxy server on a host you can set SSL certificates on and then simply forward requests to the free herokudns domain using encryption as well.
You'd have to have a separate server with something like nginx or httpd running.. I am not sure of a free service to host the proxy, but usually when you sign up for a domain you may get a hosting addon with it, or perhaps people already have acess to an encrypted host and just want to also use Heroku for their node applications.
Setting up a httpd proxy would look somewhat like this (from https://serverfault.com/questions/84821/apache-proxypass-with-ssl):
<VirtualHost 1.2.3.4:80>
ServerName customdomain.com
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyPass / https://heroku-app-name.herokuapp.com
ProxyPassReverse / https://heroku-app-name.herokuapp.com
</VirtualHost>
This way you have full encryption all the way :)
This is a question rather than an answer, actually. Has anyone tried ZeroSSL? It offers free SSL, and here is an installation guide for Heroku. However, SSL Endpoint is apparently deprecated and not recommended by Heroku, and it appears to be paid addon of Heroku.
$ cat example.crt ca_bundle.crt certificate.crt
I could not make sense of this line in the help. Perhaps, > is missing? Where does example.crt come from, when I only have the following files?
certificate.crt
ca_bundle.crt
private.key
Or can Heroku SSL accept SSL certificates issued from ZeroSSL?
I have an app (hosted in heroku) where customers have an individual subdomain e.g. client1.myapp.com, client2.myapp.com I am using a wildcard SSL cert here.
If however a client wants to use their own custom domain e.g. CNAME app.client1.com
How can i automatically provide an SSL cert (I'm guessing using Lets Encrypt) for the client without them providing me a certificate to upload in a similar way to firebase etc.. provides SSL certs for domains.
As long as app.client1.com is reachable from the internet, you are free to set up a lets-encrypt certificate.
If your applications run on unix-like system, then the cerbot docs describe all the steps for automating the renewal.
You basically have to set up a cronjob that launches the renewal command.
You can edit the crons in you linux machine with the command crontab -e and place something like this at the end of the file:
0 15 1 * * certbot renew
This will run the command the first day of each month and attempt the renewal of your certificate. Check crontab.guru if you need different settings.
If you want to call the cerbot command from a custom script, you can add such script to your cronjob (and save the output to a custom file).
E.g:
0 15 1 * * python cert_autorenew.py >> cron.log 2>&1
Keep in mind that if you want a certificate for app.client1.com, then the renewal request you send, must resolve to the server app.client1.com.
That's how you demonstrate the control over your domain to letsencrypt.
If you are hosting the new application in Heroku/new domain is directed to Heroku app, they will take care of the SSL Certificates for you, as long as you run the application on a paid dyno. Which you should as its a client's application!
https://devcenter.heroku.com/articles/ssl
Heroku provides free Automated Certificate Management (ACM) for all
applications running on paid dynos. With ACM, Heroku automatically
provisions and renews SSL certificates for your application. If you
prefer to upload your own certificate manually, follow the steps in
this article.
You only have to make an application in Heroku, upgrade the dyno and configure the custom domain name (app.client1.com) for the application, following instructions at https://devcenter.heroku.com/articles/custom-domains