Good morning,
I am attempting to update my SSL certificate on Heroku but keep on getting a error:
! Bad response from SSL Endpoint provider. Please try again later.
I have gone though the steps to create a bundle multiple times with no luck. From what I can tell this can mean there is an issue with my certificate or that there is an issue with Herokus services. There is mention of the SSL Doctor tool provided by Heroku, but the Github repo says to use the Toolkit but I have not been able to find any documentation on what the command is or how to use it.
I thought about removing my current SSL key but I have been at this for weeks and I don't want SSL to be down for that long.
Anyone experience this before, or know how to use SSL Doctor (or if SSL Doctor will even help).
Thanks in advance!
I ran into the same problem. It turns out - I was using the Heroku gem to handle the operations. All I had to do was uninstall the Heroku gem, and then install the latest toolbelt from Heroku. The worst part about this problem was that it failed silently. :(
Related
To start with I really don't want to pay for hobby dyno on heroku. I am well aware of their ACM process. I am trying to be a little careful with spends as I am testing something.
My current setup is as follows:
Namecheap (domain xyz.com) -> xyz.herokuapp.com (with DNS Name configured correctly)
This is configured correctly and works great for HTTP. I have a task at hand to obtain certifactes from LetsEncrypt (because they are free), and integrated it to app deployed on heroku.
The app is a simple react-app, built using create-react-app. I have followed the steps to obtain a certificate from LetsEncrypt, and the certbot is asking me to place the certificate in this path public/.well-known/acme-challenge/<cert-string>. The content of the file in that path contains the .
The problem I am having is, the route localhost:3000/.well-known/acme-challenge/<cert-string> works well in my dev environment. When I deployed the react app to heroku, the route /.well-known/acme-challenge/<cert-string> is heading to a 304 and I am unable to facilitate the certbot to complete the validation step.
After a few hours of debugging I understood the architecture inside heroku better, and I have understood that this is a heroku buildpack related problem. My current understanding of the issue is as follows:
heroku blocks access to /.well-known/acme-challenge/<cert-string>
and I have to find a way to unblock this ^ .. so that certbot can validate my cert process.
I did some research and understood that there is a way to by-pass the nginx.conf. Is this really possible?
Looking for some guidance here.
Edit1
I have tried some approaches here https://github.com/heroku/heroku-buildpack-php/issues/218 - they did not work well.
This is my first time getting an SSL certificate for my website. I followed this tutorial https://devcenter.heroku.com/articles/automated-certificate-management
heroku certs:auto displays that Status is "Cert issued". I get no errors. I use git push and the website is still not certified. What could I be doing wrong?
Old question, but if anyone else runs into this problem, which I was just battling myself, here was my problem:
When following the Heroku dev center guide on how to point a custom domain to your herokuapp, the guide says, among other things:
"Create a CNAME record to map from www.example.com to example.herokuapp.com or your SSL endpoint if using SSL."
Neither one of these alternatives are, however, the way to go now (SSL endpoint is considered legacy at Heroku). Instead, once you have added your custom domain correctly, simply:
In Heroku CLI, run "heroku certs:auto:enable" to enable ACM.
Point your domain's DNS records at the Heroku DNS target for your custom domain, which you can find by running "heroku domains"
Wait a little.
This should do it.
Yesterday, I added a RapidSSL certificate, but going to supplybetter.com still gives an SSL mismatch warning, and the heroku certificate rather than mine is being presented. I'd like to get this working and get rid of the warning as soon as possible.
To get the certificate, I followed the instructions in this tutorial, with the exception that there was no analogue to "../ssldir/myapp_mydomain_com_chain.key" in step 16, so I used the _chain-less .key file, the only one I had. My PEM is composed of my CRT followed by the intermediate CRT, with spacing / newlines correct after checking.
My DNS is through Badger.com, which interacts with Heroku; current records shown below. This post recommends adding a cname that I don't have, but there's no way for Badger to do that without uninstalling the Heroku plugin; it only allows one input, a "_______.herokuapp.com" address, and does the rest.
Results of heroku certs and ssl
matt$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ -------------------------------------- -------------------- -------
osaka-8681.herokussl.com www.supplybetter.com, supplybetter.com 2014-03-09 23:27 UTC True
matt$ heroku ssl
supplybetter.com has no certificate
www.supplybetter.com has no certificate
This question has been submitted to Badger and Heroku support; if there's not an accepted answer, I don't yet have a solution. Thank you for your help!
--
Heroku support:
"Hey,
So the tutorial you are following was for our legacy feature ssl:hostname which has been removed in place of ssl:endpoint. Running heroku certs, I see that your cert has been added properly. However, there is one final step, you need to point your CNAME to your ssl:endpoint osaka-8681.herokussl.com
Once you do that, just wait for the DNS to propagate and you should be good to go."
Issue now is that badger doesn't have a way I see of adding non-subdomain cnames, and their heroku app only takes things in ____.herokuapp.com format.
DNS does not support CNAME records for the domain apex ("non-subdomain"). Heroku docs recommend not using the apex domain. You DNS provider may provide a redirect-function from domain.com to www.domain.com that you can take advantage of.
DNSimple has a feature that let's you use the apex on Heroku, but you'd have to switch away from badger: http://support.dnsimple.com/questions/32831-How-do-I-point-my-domain-apex-to-Heroku
Badger support manually implemented the 3 A records that I needed, plus the correct CNAME to point to osaka.herokussl.com. My major mistake was that when faced with Badger's format to enter CNAMEs, _.domain.com, I didn't realize www would work. It's now propigated and working well.
Learned:
As of 3/8/13, Badger's Heroku plugin can't support custom domains, but they're possible to add manually
Badger support is very responsive
I'm following this tutorial and have read these issues but am still getting stuck configuring my purchased ssl certificate correctly. I'm getting hung up after running the command from step 5 in the tutorial referenced above and getting a
! App not found
error form heroku. Here is a list of domains I have setup within heroku (as an aside when I run heroku domains getting a no resource error as well..).
mydomain.herokuapp.com
mydomian.com
secure.mydomain.com
www.mydomian.com
And all of my cnames records with dnsimple are as follows.
mydomian.com points to proxy.herokuapp.com
www.mydomian.com points to proxy.herokuapp.com
secure.mydomain.com points to proxy.herokuapp.com
I have added the heroku ssl add on, my app name in heroku GUI is mydomain, and have followed steps 1-4 in the tutorial above I believe I have the ssl end correctly configured. I'm not sure what I am missing here to get the above error?
Thanks for your attention on this.
For those in similar situation here was the issue-
After reading this post I updated my .git file with the new name I had given the app. Which is why I was receiving the strange no resource found error above.
After this I just followed heroku documentation starting from here https://devcenter.heroku.com/articles/ssl-endpoint#upload-certificates thus deviating from the blog tutorial I referenced above, and everything seems to be configured correctly.
If you're going through the same process RapidSSL, heroku, DNSimple. I highly recommend following the blog tutorial referenced above and picking up on the heroku documentation linked here if you're interested in getting it up and running quickly.
I hope this helps save some time for someone in the future.
Sometimes this appears, sometime not. Its since two days in former good running apps.
CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed thrown in
With a former Version of the php SDK, I disabled CURLOPT_SSL_VERIFYPEER generally besause that never works. But the last two versions, now its the newest, worked until yesterday.Shout I disable something again? Is it the same method in the actual SDK? Writing from home, can't look inside.
Is it a message from the cert coming with the sdk or are that problems with the cert of https on my server?
You shouldn't disable CURLOPT_SSL_VERIFYPEER because of the security implications. The PHP SDK usually contains the needed certificate, but in your case it seems to have problems.
The best way to solve it is:
Download the Facebook SSL certificate here
Put it somewhere accessible by PHP
Tell the Facebook PHP SDK to use it:
Facebook::$CURL_OPTS[CURLOPT_CAINFO] = '/path/to/fb_ca_chain_bundle.crt';
I just ran into this same error (coworkers didn't have it) and the solution was to download a new copy of the Facebook API SDK from https://github.com/facebook/facebook-php-sdk. Apparently my version (and the certificate) was outdated.