SSL Error on Heroku app - ssl

I cannot get ssl to work properly on my heroku app.
I have successfully add the crt key witch gives me:
Resolving trust chain... done
Updating SSL Endpoint aichi-7001.herokussl.com for mysite... done
Updated certificate details:
Common Name(s): mysite.com
www.mysite.com
Expires At: 2013-11-03 23:59 UTC
Issuer: /OU=Domain Control Validated/OU=Free SSL/CN=www.mysite.com
Starts At: 2013-08-05 00:00 UTC
Subject: /OU=Domain Control Validated/OU=Free SSL/CN=www.mysite.com
SSL certificate is verified by a root authority.
but when i try to load the page on the browser, i get the following message:
This is probably not the site you are looking for!
You attempted to reach www.mysite.com.br, but instead you actually reached a server identifying itself as *.herokuapp.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.mysite.com.br.
You should not proceed, especially if you have never seen this warning before for this site.
Any ideias on where did I mistake?

You need to add the domain www.mysite.com to your Heroku app like so:
$ heroku domains:add www.mysite.com
Added www.mysite.com to example... done

Related

Heroku ACM https only works on herokuapp

I have a React app running on a professional Heroku dyno. It has a custom domain with naked redirect, registered via GoDaddy.
Based on the Heroku instructions and other StackOverflow posts I've read, I thought I had everything configured properly. And indeed when I go to https://www.myapp.herokuapp.com I get the correct behavior. However, when I go to https://www.mywebsite.com, I still get:
Your connection is not private. Attackers might be trying to steal your information.
heroku domains is:
=== myapp Heroku Domain
myapp.herokuapp.com
=== myapp Custom Domains
Domain Name DNS Record Type DNS Target
www.mywebsite.com CNAME xxx-yyy-1234567.herokudns.com
That DNS address is what I've set my CNAME in GoDaddy to point to:
CNAME www xxx-yyy-1234567.herokudns.com 1 Hour
heroku certs is:
Name Common Name(s) Expires Trusted Type
────────────────── ────────────────── ──────────────────── ─────── ────
tyrannosaurs-66282 www.mywebsite.com 2020-08-15 10:32 UTC True ACM
Finally, my heroku certs:auto is:
=== Automatic Certificate Management is enabled on myapp
Certificate details:
Common Name(s): www.mywebsite.com
Expires At: 2020-08-15 10:32 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2020-05-17 10:32 UTC
Subject: /CN=www.mywebsite.com
SSL certificate is verified by a root authority.
Domain Status
────────────────── ───────────
www.mywebsite.com Cert issued
From what I can tell, everything is set up correctly. What am I missing?
One thing that could potentially be an issue: I originally tried to set up SSL manually by registering my site on Let's Encrypt. But stopped and switched to ACM after Heroku kept redirecting to va-acm, preventing confirmation.
Never mind, it did work, just takes a while to propagate. Leaving this Q up as a reference point so folks know what the correct configuration is.
Also, https always works for herokupapp. Has nothing to do with your ACM/DNS configuration.

SSL - invalid CN after installing certificate (getting CN *.herokuapp.com)

I have a heroku app hosted at www.example.com.
I have a certificate issued for that address (www.example.com). I've installed the certificate successfully according to the heroku docs.
However, I how have a problem:
when I visit www.example.com, I get an invalid CN error (says that it is issued for *.herokuapp.com)
when I visit example.herokuapp.com, I also get an invalid CN error (this time the cert CN is for www.example.com)
So the certificates are pretty much flipped. This is still pretty fresh (<1 hour) - could waiting solve the problem?
Also: This part of the heroku docs shows an endpoint in the form example.herokussl.com
$ heroku certs:info
Fetching SSL Endpoint example-2121.herokussl.com info for example... done
And I'm getting the standard example.herokuapp.com endpoint, so I did not have to change the DNS settings after installing the certificate. Could that be some clue?
If you have already configured your domain DNS for non-SSL, standard http:// access, keep in mind that you need to update it again for SSL. From your Heroku account, go to your app settings, Domain section. You will see something like:
In this example, the example.com's DNS should be updated to point to example-ssl.herokussl.com (and not example-standard.herokuapp.com).
Turns out this was a DNS caching issue on my machine. Since this was Linux, changing browsers did not work (also for some reason restarting the dns deamon).
Anyway, it's fine now.

Heroku SSL Endpoint Doesn't Resolve

I've followed the documentation in the Heroku Dev Center related to adding and configuring the SSL Endpoint addon, but I'm having problems accessing the SSL endpoint that is specified for me once the process completes.
Here's the output heroku certs:info:
Fetching SSL Endpoint gifu-3932.herokussl.com info for epic-real-estate... done
Certificate details:
Common Name(s): epicrealestatewebsites.com
www.epicrealestatewebsites.com
Expires At: 2014-06-10 21:30 UTC
Issuer: /OU=Domain Control Validated/CN=www.epicrealestatewebsites.com
Starts At: 2013-06-10 21:30 UTC
Subject: /OU=Domain Control Validated/CN=www.epicrealestatewebsites.com
SSL certificate is verified by a root authority.
Based on this output, I'm pretty sure I should be able to at least access my application at https://gifu-3932.herokussl.com but it seems I can't. Have I missed a step along the way somewhere or is it simply a matter of waiting a while so that host resolves to the correct place?
Apparently it is just a matter of waiting a while for DNS resolution to occur. So, if you're going to do this, make sure you have 12-16 hours available to make it happen.
Sometimes the provisioning of the SSL endpoint fails silently and never resolves. You can work around this by removing the ssl cert with heroku certs:remove and then re-adding it again. The endpoint should resolve to an Amazon ELB when it successfully is provisioned.

Heroku, Keep getting SSL certficate error from Google Web Master Tool

I keep getting ssl certificate error from google web master tool like below.
Dear Webmaster, The host name of your site, https://myapp.com/, does not match any of the "Subject Names" in your SSL certificate, which were:
*.herokuapp.com
herokuapp.com
This will cause many web browsers to block users from accessing your site, or to display a security warning message when your site is accessed. To correct this problem, please get a new SSL certificate by a Certificate Authority (CA) with a "Subject Name" or "Subject Alternative DNS Names" that matches your host name. Thanks, The Google Web Crawling Team
I set ssl to my heroku app by following instructions of Heroku dev center.
https://devcenter.heroku.com/articles/ssl-certificate
https://devcenter.heroku.com/articles/ssl-endpoint
I also am using rack_rewrite for 301 redirect for redirecting from naked domain to www subdomain.
It seems everything is going fine from browser, when I access naked domain, it will redirect to https://www.myapp.com without any SSL error.
output from heroku are like below
heroku certs --remote production
Endpoint Common Name(s) Expires Trusted
---------------------- ---------------------------------- -------------------- -------
XXXXXXXX.herokussl.com www.myapp.com, myapp.com 2013-08-05 00:20 PHT True
heroku certs:info --remote production
Fetching information on SSL endpoint XXXXXXX.herokussl.com... done
Certificate details:
subject: /serialNumber=XXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
start date: (some date)
expire date: (some date)
common name(s): www.myapp.com, myapp.com
issuer: /serialNumber=XXXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
SSL certificate is verified by a root authority.
domain settings
Type NAME TTL Points to
ALIAS myapp.com 3600 xxxxxx.herokussl.com
CNAME www.myapp.com 3600 xxxxxx.herokussl.com
Why I keep getting the error from Google?
Naked Domains are not supported. See the documentation section at Heroku Endpoint SSL

Purchased and installed ssl certs but still indentified as *.herokuapp.com

I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.