I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate
Copy server.key & server.orig.crt from DNSimple
Get root CA certificate with $ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
Concatenate into one file with cat server.orig.crt rapidssl_bundle.pem > server.crt
So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key. This gives the error
Key could not be read since it's protected by a passphrase.
The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:
1b. $ mv server.key server.orig.key
1c. $ openssl rsa -in server.orig.key -out server.key
However this gives the error
unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
Which I suspect means there is no private key found.
Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?
I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.
I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:
$ heroku certs:add server.crt bundle.pem server.key
no matter what I did, I got this error:
$ Adding SSL Endpoint to mysite... failed
! Key could not be read since it's protected by a passphrase.
! Read instructions on how to remove the passphrase on:
! http://www.madboa.com/geek/openssl/#key-removepass`
I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.
First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.
The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli
Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.
Struggled with this issue for days! Until I came across this thread and followed the upgrade advice. The first thing I had to do is
gem uninstall heroku --all
I answered 'Yes' to the keep executable question, because of another post I had read on stackoverflow. I then went to https://toolbelt.herokuapp.com/ and installed the toolbelt (even though heroku --version was saying that it was installed). Upgraded it to heroku-toolbelt 2.39.0. Retried the following command and it worked:
heroku certs:add cert.cer bundle.pem server.key
Maybe i'll finally get some sleep tonight :)
This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.
I used TextMate instead and everything is working fine.
An old toolbelt installation was my problem on windows.
Even though heroku update changed the version number from 2.30.1 to 2.39.0, a heroku version showed it wasn't updating correctly for some reason.
I reinstalled the toolbelt from https://toolbelt.herokuapp.com/ and tried it again, and everything worked.
heroku version now says this for me, and the certs:add works correctly:
heroku-gem/2.39.0 (i386-mingw32) ruby/1.9.2
I now got the same error, even with a recent heroku/7.47.6 (from npm).
The reason turned out to be that I got an elliptic-curve certificate from Let's Encrypt, the private key file contained:
-----BEGIN EC PRIVATE KEY-----
That's not supported according to https://devcenter.heroku.com/articles/acquiring-an-ssl-certificate:
Heroku only supports RSA keys for certs. Elliptic curve keys are not supported.
Once I obtained an RSA cert, it worked.
(specifically, dehydrated now defaults to --algo secp384r1, I had to provide --algo rsa. But the idea should be same with other tools/CAs, you need an RSA cert.)
To me the issue was that 1Password changed newlines in the certificates into spaces, and replacing spaces back into newlines helped (in the cert body, of course, not in the ----BEGIN CERTIFICATE---- part).
So check your cert/key contents, this may be very well an issue of formatting.
Related
I used letsencrypt to generate the certificate and the private key. All tested fine. The I used heroku cert:add to add the cert and private key to my app:
sudo heroku certs:add --type=sni /etc/letsencrypt/live/appname.com-0001/fullchain.pem /etc/letsencrypt/live/appname.com-0001/privkey.pem --app appname
The command worked a few months back, and now it just show the following:
Usage: heroku certs:add CRT KEY
then it will stop executing. So What should I do to add the cert and private key to Heroku?? Thank you so much.
I resolve the issue by removing --type=sni in the original command, then everything works fine now.
I'm trying to renew my SSL certificate but there is some problem i'm probably missing. after i'v done the following steps the server keep using the old certificate and i do'nt know why.
here'w what i have done:
Create new csr file (domain.csr) + key file (domain.key)
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Copy csr file content and paste it to my ssl provider + get approval.
get 5 files from them and upload them to the server (domain.der,domain.pem
,domain.cer, chain.cer , domain.p7b )
set on apache ssl.conf file ,
SSLCertificateFile (domain.cer) SSLCertificateKeyFile (domain.key).
restart apache
for some reason my server is still using my old certificate.
is the something i'm doing wrong?
Well you figured it out yourself but in case anyone else is in same situation, here's some of the things you can check.
First up check locally whether this works, by running the following openssl command on the server (a crucial step we skipped!):
openssl s_client -connect localhost:443
This will show the cert presented to the client from Apache. If that's not the right one, then you know Apache config is at fault. If it is the right one then something downstream is a problem.
In your case you terminate SSL at the load balancer and forgot to change the cert there. Another issue could be browser caching the SSL cert (restart it, Ctrl+F5 to force refresh or better yet try another browser or a third party website like ssllabs.com).
Assuming it's a problem with Apache then you need to check the config to check all instances of the cert have been replace. The below command will show all the vhosts and what config they are configured in:
/usr/local/apache2/bin/apachectl -S
Alternatively just use standard find and grep unix commands to search your Apache config for the old or new cert:
find /usr/local/apache2/conf -name "*.conf" -exec grep olddomain.cer {} \; -print
Both those commands assume apache is installed in /usr/local/apache2 but change the path as appropriate.
If all looks good and you've definitely restarted Apache then you can try a full stop and restart as I have noticed sometimes a graceful restart of Apache doesn't always pick up new config. Before starting the web server back up again, check you can't connect from your browser (to ensure you're connecting to the server you think you're connecting to) and that the process is down with the following command:
ps -ef | grep httpd
and then finally start.
Another thing to check is that the cert you are installing is the one you think it is, using this openssl command to print out the cert details (assuming the cert is in x509 format but there are similar commands for other formats):
openssl x509 -in domain.cer -text
And last but not least check the Apache log files to see if any errors in there. Though would expect that to mean no cert is loaded rather than just the old one.
Good answer from #Barry.
Another aspect is apache is not the front most web server. From this conversation. It is possible that there are other web servers in front of apache.
Something like - nginx. In our case it was AWS ELB. We had to change cert in ELB in order to change.
We had a similiar problem to what #Akshay is saying above.
In order for the server to update the certificates we had to run some commands for Google Cloud Compute Engine Load Balancer:
gcloud compute target-https-proxies update
Hope this helps someone that is using GCP for hosting apache.
I have a Meteor app I am deploying to a Digital Ocean Ubuntu server via MUP. It works great without SSL, but I can't figure out the SSL part.
I Purchased a Comodo SSL Cert. They sent me 4 .crt files. I can the following command:
cat cert1.crt cert2.crt cert3.crt mydomain.crt > ssl.pem
I then put that ssl.pem file in the root directory locally. Added "ssl": {"pem":"./ssl.pem"} to my mup.json file and ran mup setup -- everything is succesful until:
[45.55.225.190] x Verifying SSL Configurations (ssl.pem): FAILED
-----------------------------------STDERR-----------------------------------
Trying to initialize SSL contexts with your certificatesError loading rsa private key
-----------------------------------STDOUT-----------------------------------
----------------------------------------------------------------------------
I'm not even sure how to troubleshoot this. I ran a quick find on the server and the ssl.pem is there, so mup successfully sent the file over, but it seems stud is not verifying the file or not finding it?
Turns out I was running into two different problems. First, you have the put the certificate files in a very specific order. Second, I was not including my key file. The command to create the .pem file needed was:
cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt mydomain.nopass.key > ssl.pem
This blog post at DeveloperSide.NET helped me tremendously.
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.
I've set everything up to secure my domain with ssl, I've received a certificate from my provider and I added the endpoint addon to heroku, however I'm having difficulties with uploading the certificates to heroku..
I have the following files:
CompleteCABundle.crt
www.domainname.crt
and some generated server.key and server.pass.key files.
I've tried to upload these to heroku with the certs:add command but so far it does not seem to be working.
What steps should be taken and which files exactly should be uploaded to heroku?
I haven't used Heroku before but I imagine a problem could be that you haven't combined the CA Bundle and your domain's certificate together into a single file before trying to upload them.
According to the Heroku docs here: https://devcenter.heroku.com/articles/ssl-endpoint there are only two arguments to the certs:add command.
You can combine the two .crt files with the following:
cat www.domainname.crt CompleteCABundle.crt > total-crt-chain.crt
Then try certs:add again (with this new bundle and your private key) and maybe see if this works.