I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.
Related
I purchased my SSL certificate from GoDaddy.
I made the common name www.mywebsite.com.
In my DNS settings I have the website forwarding from the naked domain to the www.mywebsite.com.
I removed any settings inside Heroku regarding the SSL certificate from the GUI.
Then I went through the instructions here.
To recap, I generated my server.key by first creating the crs files and sending those to GoDaddy.
I purchased the $20/mo endpoint.
GoDaddy gives me a downloadable ZIP for my certificates, one with one certificate, and one with 3 certificates inside of it.
I run the following command to install the bundled version first with the following failing message that follows:
heroku certs:add server.crt server.key --type endpoint
No certificate given is a domain name certificate.
The reason I even tried to use the bundle is that my SSL doesn't work in firefox, and intermediary cert is not being included. After looking around for an answer on this, I couldn't find one.
So to get my website back up and running in the short term, I decided to just do what I did before, and upload the single cert. That works, but not really.
Now I get this message when I run the cUrl test:
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Also, my website is down. :(
How do I fix this?
The answer in my case seems to be that purchasing an SSL cert is not necessary on Heroku. When you purchase a paid hosting package they provide SSL certificates by default without having to buy their SSL add-on endpoint.
There are likely other use-cases for using a paid SSL cert, but in my case I didn't have to do that.
If this answer helped you please upvote this question as some people seem to think it's a question worth down voting.
I'm trying to set up SSL Automated Certificate Management with Heroku. I have my domain with Gandi and am having troubles setting the DNS target.
How Heroku says it should be set up:
Domain Name DNS Target
mydomain.com mydomain.com.herokudns.com
www.mydomain.com www.mydomain.com.herokudns.com
So ideally in Gandi I would have
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# CNAME mydomain.com.herokudns.com
However, you cannot assign a root domain to a CNAME record, so the second line there wouldn't work.
Another way to do it could then be to use an A record
Name Type Value
www CNAME www.mydomain.com.herokudns.com
# A 1.2.3.4 (IP Address of my site)
But again this doesn't work because the IP address of Heroku hosted sites can change.
So I thought I found a work around, by forwarding mydomain.com to www.mydomain.com through Gandi's web forwarding. For my DNS Records I just have:
Name Type Value
www CNAME www.mydomain.com.herokudns.com
So now the website works, I can access it by going to www.mydomain.com or mydomain.com, but now my SSL certification isn't working!
My site still says "Your connection to this site is not secure"
When I check the status on Heroku I get:
Domain Status
─────────────── ───────
www.mydomain.com OK
mydomain.com Failing
I basically just learned most of how DNS works today, so I could be doing this completely wrong.
Any help is appreciated!
It's possible (and cheaper) to use heroku ssl certificate with gandi... You just need to be sure to set up a subdomain everytime. I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. As soon as the statues are ok for all of your subdomains, dont forget to force_ssl in your app, so every http request will be redirected to https. U can do it like this:
# config/environments/{staging,production}.rb
config.force_ssl = true
VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.
Once all of this is done, U see the satifying green lock on every pages of your app :D.
Ok, so apparently it is impossible to use Heroku's SSL certificate with Gandi, so I ended up going with Gandi's SSL certificate instead. If anyone needs a tutorial here's a great one by Le Wagon
https://vimeo.com/209534466
Just a follow up for this question with my experience. I purchased a domain name from Gandi and use permanent web forwarding to forward the domain name to my heroku application. I also add custom domain(the one I bought) to heroku console.
Domain Name DNS Record Type DNS Target
───────────────── ─────────────── ───────────────────────
xshogi.com.tw ALIAS or ANAME xshogi.com.tw.herokudns.com
www.xshogi.com.tw CNAME www.xshogi.com.tw.herokudns.com
I could not successfully adopt heroku ACM to configure my domain even though I had paid for hobby plan.
I followed the tutorial video that Johnnybib posted.
create server.crs and server.key in project with openssl req -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.csr
go to purchase SSL certificate page in Gandi
cat server.csr and paste it to Gandi console
pay and wait for authentication done to finish this bill
download .crt and .pem certificate and concatenate them together into all.crt
use heroku certs:add --app xshogi all.crt server.key
Also, remember to change CNAME www from webredir.vip.gandi.net. to xshogi.com.tw.herokudns.com.
All set up and wait for a short while, I can curl https://www.xshogi.com.tw. I can also connect to https://www.xshogi.com.tw in browser and the URL does not change to https://xshogi.herokuapp.com.
You can actually use heroku's SSL serts.
What you can do in Gandi is redirect to https://www.yoursite.com :)
Considering that you changed your DNS settings to the ones heroku provided.
I am currently using CloudFlare and recently added an SSL certificate to my script.
Before hand, I added an A record (proxied with CloudFlare) that pointed to my TS IP. It worked like this: ts.domain.net:PORT
However, after I added the SSL cert, it doesn't seem to work anymore.
If it matters, my main site IP is also (of course) proxied under CloudFlare
Thanks!
Every certificate contains one or more Subject Alternative Names. You can use the certificate only on domains that are listed as SAN within the certificate, as long as you don't have a wildcard certificate that can be used on a all subdomain, eg. *.mydomain.net.
Therefore for your TS server you need a certificate that contains the SAN ts.domain.net. If your current certificate is only for domain.net you need another certificate for your Teamspeak subdomain.
I have just installed a wildcard ssl certificate on a custom domain, this is working fine for any subdomain of *.example.com. I can verify that the correct ssl certificate is being issued.
However the problem is with www. which is issuing the Bluemix certificate not my own certificate.
In the browser i am getting "Your connection is not private"
This server could not prove that it is www.example.com; its security certificate is from *.eu-gb.mybluemix.net. This may be caused by a misconfiguration or an attacker intercepting your connection.
I am guessing that the problem is with Bluemix, how can i get Bluemix to serve up my certificate for www, baring in mind that it is serving up my certificate for other subdomains.
All help will be greatly recieved
I have fixed this issue, the problem was with the DNS setup.
The key piece of information for me, was that my dns was point to 2 IP's of Bluemix 5.10.124.142, and 5.10.124.141, therefore only serving up my certificate on one, and the Bluemix default certificate on the other
From googling how to add a custom domain, i added a CNAME record to point to *****.eu-gb.mybluemix.net and an A record to 5.10.124.142
This is wrong, i need to change my CNAME record to be my actual domain now.
I have purchased an SSL certificate and installed it to my Heroku app.
However when I try to access my site via https, Chrome reports that:
The identity of this website has not been verified. • Server's
certificate does not match the URL.
Other browsers report a similar message.
Inspecting the certificate information in Chrome shows that my site is still using Heroku's certificate, issued by Digicert (instead of my own CA).
Any ideas as to what I could be missing?
The problem had to do with an incorrectly set DNS record.
As per the documentation (...), once the certificates are uploaded to Heroku, do:
heroku certs
This provides you the correct end point for the SSL enabled domain. This is a domain that looks like "tokyo-2121.herokussl.com".
Next, go to your DNS service provider and update/add the CNAMe record for the SSL enabled domain to point to "tokyo-2121.herokussl.com".