I need to add SSL to my heroku custom domain. I have done through a wide variety of keys/crts/pems etc. All I want to do is have SSL on a heroku wildcard custom domain.
I bought a wildcard ssl certificate. I have a plan on DNSimple.com, and now I need to upload everything to the server.
What files do I need to add? How can I get them?
I have a Certificate and a private key from DNSimple, now I understand I have to upload a CRS file to DNSimple. Can someone offer a step-by-step, heroku's is very poorly designed and convoluted.
Right now, chrome gives me a big red user warning.
Thanks,
Brian
Hope you have gone through Heroku documentation for DNS simple-
https://devcenter.heroku.com/articles/ssl-endpoint
https://devcenter.heroku.com/articles/ssl-certificate-dnsimple
If still not working, let me know. Will post the steps needed to do this.
Related
I have installed ejabberd on a vm and i successfully made accounts and accessed the admin panel. I have tried to get https enabled via lets encrypt but i havent managed to get it running. After checking the docs, google as well as the forum here i still didnt find a useful description to get this done.
thanks in advance for any further information on that note.
There are a pair of paragraphs regarding Let’s Encrypt SSL certificates in this tutorial: https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/
Once you have setup the certificates, you can enable the tls option in several listeners, like ejabberd_c2s, and probably you want to enable in ejabberd_http too. See the first example here, concretely the configuration of port 5281:
https://docs.ejabberd.im/admin/configuration/listen/#examples
First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
<--------- Update ---------->
So I tried using digicert instead of SSL Labs and this is what I got. This is why my ssl isn't working properly with CloudFlare and Heroku.
<--------------------------->
For some reason, my CloudFlare SSL isn't working properly and I continuously get this error. Really lost and could use some help. Below are screenshots of the error and my CloudFlare Crypto Settings.
I have fixed the issue here. Turns out it was a simple fix. All you have to do on CloudFlare is make sure the subdomains e.g. www are routed through cloudflare as well instead of through the primary host e.g. heroku.
You can do this by clicking on the cloud next do you CNAME record and making sure it's orange.
I also recommend using www.digicert.com instead of www.ssllabs.com because you get a lot more helpful information.
Cheers,
Have you tried using an SSL testing tool like https://www.digicert.com/help/ or https://www.ssllabs.com/ssltest/index.html ? They might help narrow down where the problem may be.
Good luck!
Yesterday, I added a RapidSSL certificate, but going to supplybetter.com still gives an SSL mismatch warning, and the heroku certificate rather than mine is being presented. I'd like to get this working and get rid of the warning as soon as possible.
To get the certificate, I followed the instructions in this tutorial, with the exception that there was no analogue to "../ssldir/myapp_mydomain_com_chain.key" in step 16, so I used the _chain-less .key file, the only one I had. My PEM is composed of my CRT followed by the intermediate CRT, with spacing / newlines correct after checking.
My DNS is through Badger.com, which interacts with Heroku; current records shown below. This post recommends adding a cname that I don't have, but there's no way for Badger to do that without uninstalling the Heroku plugin; it only allows one input, a "_______.herokuapp.com" address, and does the rest.
Results of heroku certs and ssl
matt$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ -------------------------------------- -------------------- -------
osaka-8681.herokussl.com www.supplybetter.com, supplybetter.com 2014-03-09 23:27 UTC True
matt$ heroku ssl
supplybetter.com has no certificate
www.supplybetter.com has no certificate
This question has been submitted to Badger and Heroku support; if there's not an accepted answer, I don't yet have a solution. Thank you for your help!
--
Heroku support:
"Hey,
So the tutorial you are following was for our legacy feature ssl:hostname which has been removed in place of ssl:endpoint. Running heroku certs, I see that your cert has been added properly. However, there is one final step, you need to point your CNAME to your ssl:endpoint osaka-8681.herokussl.com
Once you do that, just wait for the DNS to propagate and you should be good to go."
Issue now is that badger doesn't have a way I see of adding non-subdomain cnames, and their heroku app only takes things in ____.herokuapp.com format.
DNS does not support CNAME records for the domain apex ("non-subdomain"). Heroku docs recommend not using the apex domain. You DNS provider may provide a redirect-function from domain.com to www.domain.com that you can take advantage of.
DNSimple has a feature that let's you use the apex on Heroku, but you'd have to switch away from badger: http://support.dnsimple.com/questions/32831-How-do-I-point-my-domain-apex-to-Heroku
Badger support manually implemented the 3 A records that I needed, plus the correct CNAME to point to osaka.herokussl.com. My major mistake was that when faced with Badger's format to enter CNAMEs, _.domain.com, I didn't realize www would work. It's now propigated and working well.
Learned:
As of 3/8/13, Badger's Heroku plugin can't support custom domains, but they're possible to add manually
Badger support is very responsive
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.