Is it possible to have many SSL certificates in the single Heroku Application ?
We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.
There is a way to have multiple SSL endpoints routing traffic to the same app.
An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.
You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:
Add your domain name to your app:
$ heroku domains:add ssl.example.com
Create a new app:
$ heroku create endpoint-for-example-com
Add the SSL endpoint add-on ($20/mo):
$ heroku addons:create ssl:endpoint --app endpoint-for-example-com
Add your certificate to your new app:
$ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint
Resolving trust chain... done
Adding SSL Endpoint to endpoint-for-example-com... done
endpoint-for-example-com now served by kagawa-1482.herokussl.example.com
Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.
The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.
Notes:
This solution is not documented by Heroku, so it's possible that they
would remove or change this behaviour in the future. Heroku have confirmed that this is safe for production use.
Be sure to create your endpoints in the same region as your primary app.
It might take a while for your DNS changes to take effect.
Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.
Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot
certbot certonly --standalone -d example.com -d www.example.com -d test.net
You can refer to this heroku doc for uploading custom certificates.
While not the exact same as OP's question, I was able to achieve this on Heroku with a single SAN (Subject Alternative Name) certificate for about $25/year.
I generated a CSR with multiple subject alternative names (subjectAltName) in OSX by:
Copying /System/Library/OpenSSL/openssl.cnf to the current directory, and amending the relevant sections ([req] and [v3_req]):
[req]
req_extensions = v3_req
[v3_req]
subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com
Then I used this new .cnf when generating the CSR:
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config openssl.cnf
I purchased the cert from SSLs.com. Their Comodo "PositiveSSL Multi-Domain" is $25.99/yr as of this writing and support from 3-100 domains (domains over 3 cost something like $12).
I concatenated the CA bundle and .crt that I was sent into a single .crt (in that order) and added it to Heroku. All 3 domains were added to the app and pointed to the same CNAME, and all resolve over https:// as expected.
Much cheaper than $240/yr for an additional endpoint, if this is a viable route for anyone interested.
Relevant links:
https://stackoverflow.com/a/8520510/630614
http://apetec.com/support/GenerateSAN-CSR.htm
I'm dealing with this myself. Heroku suggests getting a SAN/UCC certificate, which lets you list multiple several domains. Just did it with GoDaddy and it's working fine so far.
https://devcenter.heroku.com/articles/ssl-endpoint#serving-multiple-domains
We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.
Related
Can anyone help me with the pricing and support for Subdomain for Google-managed SSL certificate in Load Balancing.
I am working with https for Static website.
https://medium.com/#marco_37432/create-a-custom-domain-cdn-with-google-beta-7ad9531dfbae
I want to create a Subdomain with admin.example.com to link Google-managed SSL certificate in Load Balancing
But with Google docs I can see "Its not supporting wildcard common names or multiple subject alternate names" I cant understand, Can any one explain me and can I use create admin.example.com to link Google-managed SSL certificate.
With pricing I can see its free in https://geekflare.com/google-managed-certificate-lb/ Can I find them google Document to confirm.
Google Cloud Managed SSL Certificates are free.
You can only use Google Managed SSL Certificates with Google services such as load balancers. You cannot use them on services you control. Google does not make the certificate private key available.
Google services such as load balancers support more than one SSL certificate. Each Google managed certificate can only have one verified domain name. This can be a subdomain of a root domain you own/control. Wildcards are not supported.
If any of the above limitations affect you, then you will need to select self-managed certificates. You can easily create your own Let's Encrypt SSL certificates with Cloud Shell.
Example commands to run on Cloud Shell:
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./certbot-auto certonly --manual --preferred-challenges dns -d 'example.com' -d '*.example.com'
I wrote an article that covers this in detail here.
As of today (2020-01-28) Google supports multiple domains in a single certificate (in beta):
Cloud Load Balancing – multiple domain support for Google-managed SSL
certificates: beta
https://cloud.google.com/load-balancing/docs/ssl-certificates
https://cloud.google.com/load-balancing/docs/quotas#ssl_certificates
I purchased my SSL certificate from GoDaddy.
I made the common name www.mywebsite.com.
In my DNS settings I have the website forwarding from the naked domain to the www.mywebsite.com.
I removed any settings inside Heroku regarding the SSL certificate from the GUI.
Then I went through the instructions here.
To recap, I generated my server.key by first creating the crs files and sending those to GoDaddy.
I purchased the $20/mo endpoint.
GoDaddy gives me a downloadable ZIP for my certificates, one with one certificate, and one with 3 certificates inside of it.
I run the following command to install the bundled version first with the following failing message that follows:
heroku certs:add server.crt server.key --type endpoint
No certificate given is a domain name certificate.
The reason I even tried to use the bundle is that my SSL doesn't work in firefox, and intermediary cert is not being included. After looking around for an answer on this, I couldn't find one.
So to get my website back up and running in the short term, I decided to just do what I did before, and upload the single cert. That works, but not really.
Now I get this message when I run the cUrl test:
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Also, my website is down. :(
How do I fix this?
The answer in my case seems to be that purchasing an SSL cert is not necessary on Heroku. When you purchase a paid hosting package they provide SSL certificates by default without having to buy their SSL add-on endpoint.
There are likely other use-cases for using a paid SSL cert, but in my case I didn't have to do that.
If this answer helped you please upvote this question as some people seem to think it's a question worth down voting.
I'm trying to set up SSL Automated Certificate Management with Heroku. I have my domain with Gandi and am having troubles setting the DNS target.
How Heroku says it should be set up:
Domain Name DNS Target
mydomain.com mydomain.com.herokudns.com
www.mydomain.com www.mydomain.com.herokudns.com
So ideally in Gandi I would have
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# CNAME mydomain.com.herokudns.com
However, you cannot assign a root domain to a CNAME record, so the second line there wouldn't work.
Another way to do it could then be to use an A record
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# A 1.2.3.4 (IP Address of my site)
But again this doesn't work because the IP address of Heroku hosted sites can change.
So I thought I found a work around, by forwarding mydomain.com to www.mydomain.com through Gandi's web forwarding. For my DNS Records I just have:
Name Type Value
www CNAME www.mydomain.com.herokudns.com
So now the website works, I can access it by going to www.mydomain.com or mydomain.com, but now my SSL certification isn't working!
My site still says "Your connection to this site is not secure"
When I check the status on Heroku I get:
Domain Status
─────────────── ───────
www.mydomain.com OK
mydomain.com Failing
I basically just learned most of how DNS works today, so I could be doing this completely wrong.
Any help is appreciated!
It's possible (and cheaper) to use heroku ssl certificate with gandi... You just need to be sure to set up a subdomain everytime. I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. As soon as the statues are ok for all of your subdomains, dont forget to force_ssl in your app, so every http request will be redirected to https. U can do it like this:
# config/environments/{staging,production}.rb
config.force_ssl = true
VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.
Once all of this is done, U see the satifying green lock on every pages of your app :D.
Ok, so apparently it is impossible to use Heroku's SSL certificate with Gandi, so I ended up going with Gandi's SSL certificate instead. If anyone needs a tutorial here's a great one by Le Wagon
https://vimeo.com/209534466
Just a follow up for this question with my experience. I purchased a domain name from Gandi and use permanent web forwarding to forward the domain name to my heroku application. I also add custom domain(the one I bought) to heroku console.
Domain Name DNS Record Type DNS Target
───────────────── ─────────────── ───────────────────────
xshogi.com.tw ALIAS or ANAME xshogi.com.tw.herokudns.com
www.xshogi.com.tw CNAME www.xshogi.com.tw.herokudns.com
I could not successfully adopt heroku ACM to configure my domain even though I had paid for hobby plan.
I followed the tutorial video that Johnnybib posted.
create server.crs and server.key in project with openssl req -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.csr
go to purchase SSL certificate page in Gandi
cat server.csr and paste it to Gandi console
pay and wait for authentication done to finish this bill
download .crt and .pem certificate and concatenate them together into all.crt
use heroku certs:add --app xshogi all.crt server.key
Also, remember to change CNAME www from webredir.vip.gandi.net. to xshogi.com.tw.herokudns.com.
All set up and wait for a short while, I can curl https://www.xshogi.com.tw. I can also connect to https://www.xshogi.com.tw in browser and the URL does not change to https://xshogi.herokuapp.com.
You can actually use heroku's SSL serts.
What you can do in Gandi is redirect to https://www.yoursite.com :)
Considering that you changed your DNS settings to the ones heroku provided.
I've set everything up to secure my domain with ssl, I've received a certificate from my provider and I added the endpoint addon to heroku, however I'm having difficulties with uploading the certificates to heroku..
I have the following files:
CompleteCABundle.crt
www.domainname.crt
and some generated server.key and server.pass.key files.
I've tried to upload these to heroku with the certs:add command but so far it does not seem to be working.
What steps should be taken and which files exactly should be uploaded to heroku?
I haven't used Heroku before but I imagine a problem could be that you haven't combined the CA Bundle and your domain's certificate together into a single file before trying to upload them.
According to the Heroku docs here: https://devcenter.heroku.com/articles/ssl-endpoint there are only two arguments to the certs:add command.
You can combine the two .crt files with the following:
cat www.domainname.crt CompleteCABundle.crt > total-crt-chain.crt
Then try certs:add again (with this new bundle and your private key) and maybe see if this works.
I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.