I am trying to add an SSL cert to Heroku. The cert was purchased from Network Solutions. I went through all of the steps and created a .csr file, uploaded that file to NetworkSolutions, downloaded their bundle of .crt files (MYSITE.crt, AddTrustExternalCARoot.crt, NetworkSolutionsDVServerCA.crt) and then combined the site cert & the intermediate certificate (AddTrustExternalCARoot.crt) bundles. When I try and add the final.crt file I produce to Heroku I get:
! Expires at can't be blank
! Pem is invalid
Using Preview I can clearly see that "Not Valid After" is set so I am not really sure what is going on here.
For what its worth I also tried combining NetworkSolutionsDVServerCA.crt with MYSITE.CRT & also combining all 3. All with no luck.
This kind of thing isn't my strong point (I am sure you can tell) so its very possible I am missing something but if you have any ideas on what it might be I would appreciate it.
Thanks
I faced the same problem today.
Below are the steps I followed to fix it.
Combine the certificate files in the below order (from the site
certificate to root certificate) into a .crt or .pem file. Lets assume you name it Mysite_combined.crt.
MySite.crt, NetworkSolutionsDVServerCA.crt, AddTrustExternalCARoot.crt
Open Mysite_combined.crt the content of the file will look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Now, Insert line feed between each certificate. Make sure there is no white space or blank line in the edited file. The content should now look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Now add the certificate to Heroku using the command
heroku certs:add Mysite_combined.crt Mysite.key
Note: Since Network solution certificate does not have a pass code, you can ignore the steps to remove pass code in heroku site. If you use a key which has pass code refer to this article which details how to setup the SSL for heroku. You should do the step 2 above in any case.
Its likely their was an error in cat'ing your cert together with the intermediate. You should look to see that there was not a missing line break, or extra line breaks that may have caused the error.
I had this problem as well and in my case it turned out to be the order of the arguments. Apparently the heroku utility expects the .crt file to precede the .key file.
In other words:heroku certs:add server.crt server.key
When I got this error, I had to add a newline at the end of my site.crt before running this command:
$ cat site.crt ca_bundle.pem > final.crt
Related
I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.
My registrar, gandi, gave me an intermediate cert to install, so I have 3 files:
Private key file (server.key)
Certificate file (mycert.crt)
Intermediate cert (GandiSomething.pem)
I'm using the SSL Beta service on heroku. The heroku CLI heroku _certs:add, takes exactly two arguments, CRT and KEY. how do I install the intermediate cert?
Paul is right, you can combine certificates:
cat ssl.crt middle.crt root.crt > all.crt
Be assured that newlines at the end of cert files!
And upload it to Heroku (use add if you haven't SSL Endpoint yet):
heroku certs:update --app $YOUR_APP --confirm $YOUR_APP all.crt private.key
But there are some tricks you haven't forget:
Update your DNS CNAME record. Change target from <app>.herokuapp.com to secure <domain>.herokudns.com (be careful, if you have *.your.domain record it can catch requests and forward it to another server)
Check the cert chain works right: SSL Checker
Flush local DNS: Flush DNS tips (antivirus also can patch and cache you connections)
Restart your browser (to flush browser's cache too)
Check your app with browser by https:// connection
The solution here is to combine the intermediate cert and the generated cert into one file, as described here. Because that link is shady, here's how the cert file should look once combined:
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
Then, this command will work:
heroku _certs:add --app name-of-my-app file-with-combined-certs.crt myserver.key
Just pass it in as an argument. Put the intermediate in the middle, it takes it as another argument. Then check heroku certs and report back if it doesn't work.
HAProxy is unable to load .pem files generated by letsencrypt, why is this?
The error I'm seeing is:
parsing [/haproxy.cfg:37] : 'bind :443' : unable to load SSL private key from PEM file '/certs/cert0.pem'.
The contents of the PEM file is:
-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgISATGh2D5ZMcKNqpIqViwd5EZOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTcwOTIyMDBaFw0x
NjAzMTYwOTIyMDBaMB4xHDAaBgNVBAMTE3N0YWdpbmcubXV6aGFjay5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrV1XqamfHm6tbDYAbnbjRxBw8
pxM/wPdO9RLUk5EmPnYy0XmPrbge93M5hh4qzMA7IGRxRa4xXjmj2nl4y6oLmRzF
nqHRBznh0D3u27dOmxk9vgWEGFO423T4W4DW5T6ukw+i2V5zxdtiu9tP7s8qsN7P
IxKQ8tPx8NB0PYXTg+DWhPQMZkX3Q63YEJrl6pR1kQ+shOg1WRw08/gfl8YCH0bj
AtbSPwwSNzNVylgA2IZX6mTrBYnbXJ5N63Ee/p1e+vw9fqxha4B4qPpNoByvgR27
cIGFjEoBzeS76awPzBnZLWNaVqM3E0YL9riQnAAgYPrqBIofV65GELBjwVRFAgMB
AAGjggIUMIICEDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC5MVU7RKuD07ZwP6kGT
49qPO2tFMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUF
BwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNy
eXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5j
cnlwdC5vcmcvMB4GA1UdEQQXMBWCE3N0YWdpbmcubXV6aGFjay5jb20wgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAmcF6jtx6QWAOQtRLhnuDyViJ
9ISP2mw8Ueq5p3L/oBMebCAjS1qv7bCcHP5RyeaqsGrHclpv090JY44rCppj5oOh
OFzzsNqZ5dwLp8vNbPls1Y7ohThVxk5PfMGpfkDwpuZGxUkizB7qQtknjBr6lX2B
XX2/IknJnABU2ssh2q77aqeVkHYVWXYG8iNMETUcIys1/Mb7X/FdL1DGRhkS1kN0
geL/+e7pmusHijkSoOP7IXFgTfcnw1DiIPctXmH2/ETcQ5deWVTgOpCTBk0M1+d2
oFFNaePdQXk4iRYlJNrswoZCSgdqqUybvEcJDKvL+ogi6GwZpJCIn/Rc2PWhGQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----
The problem is that I was using the fullchain.pem file generated by letsencrypt. Instead, one should concatenate it together with 'privkey.pem' (also generated by letsencrypt) into a single .pem file.
I could only fix this by using cert.pem instead of fullchain.pem when concatenating.
cat cert.pem key.pem > haproxy_cert.pem
Taken from https://www.haproxy.com/blog/haproxy-ssl-termination/:
frontend www.mysite.com
bind 10.0.0.3:80
bind 10.0.0.3:443 ssl crt /etc/ssl/certs/mysite.pem
default_backend web_servers
The ssl parameter enables SSL termination for this listener. The crt parameter identifies the location of the PEM-formatted SSL certificate.
This certificate should contain both the public certificate and private key.
To be honest, according with my experience on deploying HA Proxy with TLS/SSL end-to-end with minimum 2 nodes as Backend servers, this statement is somewhat true. In fact, HA Proxy requires fullchain.pem (instead of cert.pem) + privkey.pem as a single file. Not using fullchain.pem will lead to messages on Systemd like unable to load cert or things like that.
In a nutshell, you shall do:
$ cat fullchain.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
And not:
$ cat cert.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
This artile has a valuable example.
Just adding the issue that I encountered. The cat command generated concatenated the files without a newline between them. I manually inserted a new line (using vim) and it worked.
Also in my case I got three files from the registrar: crt, ca-bundle, and p7b. I just want to add that all I needed was the private key file and the crt file (so ca-bundle and p7b were not used).
I am trying to replace my SSL cert on my Heroku Rails app.
I have reissued the SSL cert and am trying to update the SSL end point.
However, When I run the following command I get this error.
heroku certs:update server.crt intermediate.crt server.key -a my_rails_app
Resolving trust chain... failed
! No key found that signs the certificate.
First off here are some good links to help you with this.
https://devcenter.heroku.com/articles/ssl-endpoint
https://gist.github.com/shripadk/552554
https://www.resumonk.com/blog/setup-ssl-certificate-heroku/
I reissued my SSL cert and when I got it in an email I copied the whole thing not just the Cert information.
Afterwards Heroku ran the update without issues.
server.crt
Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgIDEet1MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
IWAr5kQ/k2Hy4jXxHpqWMbK/SNu/UIlJM/xjyVvANy43orc2zBnGIPrzECMBWAP1
Xbkz4PUm4DuD8bRrkN7q9VKrssROFXkrl/teOg==
-----END CERTIFICATE-----
INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
knYYCnwPLI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
After pulling my hair out over updating an existing SSL in heroku, and wasting many, many hours, I came across a Heroku Add-On called Expedited SSL that makes this process so painless, its almost too good to be true. But it is true. What I couldn't solve in the last 6 hours was just solved in literally 1 minute with this add on.
I shall say no more.
I was getting the same error. In order to fix, I had the pass the path to privkey.pem after fullchain.pem
sudo heroku certs:update /etc/letsencrypt/live/domain_name/fullchain.pem /etc/letsencrypt/live/domain_name/privkey.pem -a tc-sales-portal
Hope it helps
I'm using Amazon Load Balancer with SSL configuration. everything when fine except on Firefox that show the exception page. It looks not self to user.
This article suggest to put the Certificate Chain to the configuration section.
My SSL provider is Comodo (InstantSSL). They provide two files .crt and .ca-bundle only.
How can i generate the Certificate Chain?
You can cat the .crt and the .ca-bundle file together. That's what we wound up doing using a service called OpDemand, which is backed by AWS.
cat certfile.crt bundle.ca-bundle >> chain.crt
chain.crt should be the file you're looking for. Also, the order is important. The certificate.crt file has to be first.
Use Root.crt and Intermediate.crt content and arrange them in following order. you can create this file manually as well
-----BEGIN CERTIFICATE-----
<Root content>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate content>
-----END CERTIFICATE-----
More Information
Comodo should provide you with the Certificate Chain. This is not something that you can generate yourself. A quick google looks like you should be able to download it from here: https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1