Heroku Updating SSL endpoint failed - No key found that signs the certificate - ssl

I am trying to replace my SSL cert on my Heroku Rails app.
I have reissued the SSL cert and am trying to update the SSL end point.
However, When I run the following command I get this error.
heroku certs:update server.crt intermediate.crt server.key -a my_rails_app
Resolving trust chain... failed
! No key found that signs the certificate.

First off here are some good links to help you with this.
https://devcenter.heroku.com/articles/ssl-endpoint
https://gist.github.com/shripadk/552554
https://www.resumonk.com/blog/setup-ssl-certificate-heroku/
I reissued my SSL cert and when I got it in an email I copied the whole thing not just the Cert information.
Afterwards Heroku ran the update without issues.
server.crt
Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgIDEet1MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
IWAr5kQ/k2Hy4jXxHpqWMbK/SNu/UIlJM/xjyVvANy43orc2zBnGIPrzECMBWAP1
Xbkz4PUm4DuD8bRrkN7q9VKrssROFXkrl/teOg==
-----END CERTIFICATE-----
INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
knYYCnwPLI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

After pulling my hair out over updating an existing SSL in heroku, and wasting many, many hours, I came across a Heroku Add-On called Expedited SSL that makes this process so painless, its almost too good to be true. But it is true. What I couldn't solve in the last 6 hours was just solved in literally 1 minute with this add on.
I shall say no more.

I was getting the same error. In order to fix, I had the pass the path to privkey.pem after fullchain.pem
sudo heroku certs:update /etc/letsencrypt/live/domain_name/fullchain.pem /etc/letsencrypt/live/domain_name/privkey.pem -a tc-sales-portal
Hope it helps

Related

Mandrill webhooks, SSL certificate verify failed, verify that the CA cert is OK

I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.

Heroku SSL: install intermediate cert?

My registrar, gandi, gave me an intermediate cert to install, so I have 3 files:
Private key file (server.key)
Certificate file (mycert.crt)
Intermediate cert (GandiSomething.pem)
I'm using the SSL Beta service on heroku. The heroku CLI heroku _certs:add, takes exactly two arguments, CRT and KEY. how do I install the intermediate cert?
Paul is right, you can combine certificates:
cat ssl.crt middle.crt root.crt > all.crt
Be assured that newlines at the end of cert files!
And upload it to Heroku (use add if you haven't SSL Endpoint yet):
heroku certs:update --app $YOUR_APP --confirm $YOUR_APP all.crt private.key
But there are some tricks you haven't forget:
Update your DNS CNAME record. Change target from <app>.herokuapp.com to secure <domain>.herokudns.com (be careful, if you have *.your.domain record it can catch requests and forward it to another server)
Check the cert chain works right: SSL Checker
Flush local DNS: Flush DNS tips (antivirus also can patch and cache you connections)
Restart your browser (to flush browser's cache too)
Check your app with browser by https:// connection
The solution here is to combine the intermediate cert and the generated cert into one file, as described here. Because that link is shady, here's how the cert file should look once combined:
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
Then, this command will work:
heroku _certs:add --app name-of-my-app file-with-combined-certs.crt myserver.key
Just pass it in as an argument. Put the intermediate in the middle, it takes it as another argument. Then check heroku certs and report back if it doesn't work.

Nginx install intermediate certificate

I'm trying to install an intermediate certificate on Nginx ( laravel forge ).
Right now the certificate is properly installed, just the intermediate that is missing.
I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.
Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )
Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
Edit
As #Martin pointed out, the order of certificates in the file is important.
RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it.
Thus the order is:
1. Your domain's certificate
2. Vendor's intermediate certificate that certifies (1)
3. Vendor's intermediate certificate that certifies (2)
...
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
Letsencrypt: fullchain.pem
Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
But use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

I found a issue that when I'm using apache benchmark(ab) with http

I found a issue that when I'm using apache benchmark(ab) with http,it is working fine but when I'm running ab with HTTPS , I'm getting error "benchmarking : SSL read failed - closing connection". Any ideas how could it be resolved
Try Siege, it's similar to ab, but it can handle https with not trusted certificates.
With Siege you can create a file with URLs you want to test (-f option), the -c tells how many users (concurrency) and -t how much time (e.g.: 1M one minute, 2H two ours)
siege -c 10 -t 1m -f file.txt
If you are using Debian, you can do a apt-get install siege
This appears to be bug that occurs on some servers:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49382
This also happens if you are using an intermediate certificate authority (StartSSL free tier) that is not trusted by the client and misconfigured your SSL certificate.
You need to add the intermediate CA's certificate to your webserver's SSL certificate so that it looks like this:
-----BEGIN CERTIFICATE-----
..YOUR CERT......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..INTERMEDIATE CA CERT......
-----END CERTIFICATE-----
Try installing the certificate in the machine from where you perform the request.

Trouble with Heroku SSL Endpoint

I am trying to add an SSL cert to Heroku. The cert was purchased from Network Solutions. I went through all of the steps and created a .csr file, uploaded that file to NetworkSolutions, downloaded their bundle of .crt files (MYSITE.crt, AddTrustExternalCARoot.crt, NetworkSolutionsDVServerCA.crt) and then combined the site cert & the intermediate certificate (AddTrustExternalCARoot.crt) bundles. When I try and add the final.crt file I produce to Heroku I get:
! Expires at can't be blank
! Pem is invalid
Using Preview I can clearly see that "Not Valid After" is set so I am not really sure what is going on here.
For what its worth I also tried combining NetworkSolutionsDVServerCA.crt with MYSITE.CRT & also combining all 3. All with no luck.
This kind of thing isn't my strong point (I am sure you can tell) so its very possible I am missing something but if you have any ideas on what it might be I would appreciate it.
Thanks
I faced the same problem today.
Below are the steps I followed to fix it.
Combine the certificate files in the below order (from the site
certificate to root certificate) into a .crt or .pem file. Lets assume you name it Mysite_combined.crt.
MySite.crt, NetworkSolutionsDVServerCA.crt, AddTrustExternalCARoot.crt
Open Mysite_combined.crt the content of the file will look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Now, Insert line feed between each certificate. Make sure there is no white space or blank line in the edited file. The content should now look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Now add the certificate to Heroku using the command
heroku certs:add Mysite_combined.crt Mysite.key
Note: Since Network solution certificate does not have a pass code, you can ignore the steps to remove pass code in heroku site. If you use a key which has pass code refer to this article which details how to setup the SSL for heroku. You should do the step 2 above in any case.
Its likely their was an error in cat'ing your cert together with the intermediate. You should look to see that there was not a missing line break, or extra line breaks that may have caused the error.
I had this problem as well and in my case it turned out to be the order of the arguments. Apparently the heroku utility expects the .crt file to precede the .key file.
In other words:heroku certs:add server.crt server.key
When I got this error, I had to add a newline at the end of my site.crt before running this command:
$ cat site.crt ca_bundle.pem > final.crt