I am trying to setup my own domain with an SSL certificate but I just can't get it right. Do I have to put as a DNS the app URL or the DNS generated when I add my domain? I am using GoDaddy and I have seen a lot tutorials saying some of them that you have to use the *.herokuapp.com DNS and other say that the DNS generated in Heroku.
Also, when I look for my app in Google it says that the certificate is not valid for *.herokuapp.com but the one I uploaded was for my personal domain!
At last, sometimes I get the error NET::ERR_CERT_COMMON_NAME_INVALID, can someone help me please?
Automatic Certificate Management (ACM)
The simplest solution doesn't even require you to buy an SSL certificate, but you do need a paid dyno on Heroku. The $7 hobby tier works fine.
Add the custom domain to your app's domains using the CLI or web interface:
heroku domains:add www.custom-domain.com
Run heroku domains to see what your Heroku DNS target is (this is probably your-app.herokudns.com—note that this is not a .herokuapp.com domain)
Add a CNAME record in your DNS registrar pointing to your DNS target
Enable ACM by running
heroku certs:auto:enable
Wait for your certificate to be generated and enabled
It takes approximately 45 - 60 minutes to fully generate a TLS certificate for custom domains on your application. You can view the status of the certificate that is generated for all of your custom domains by running:
heroku certs:auto
If your status says “DNS Verified”, the process is not finished yet. It means we have verified your domain status and are still in the process of submitting it to Let’s Encrypt. The process will be complete when it says “OK”.
Congratulations! Your site should now have ACM enabled.
ACM is powered by Let's Encrypt, a fantastic free service for adding HTTPS to the web.
Custom certificates
It is also possible to set up HTTPS on Heroku using a custom TLS certificate. But ACM is much easier, and that's what I recommend using.
Related
I have a multi-tenant Heroku app running Ruby on Rails with a wildcard SSL certificate on *.xyz.com which serves https://customer1-app.xyz.com securely & as expected. The problem is I can't add a GoDaddy SSL certificate to a custom domain (customer1.com) also at Godaddy pointing to one of the subdomains (customer1-app.xyz.com).
The approach I'm trying is fully described at here: https://help.heroku.com/8P5TVA4T/how-can-i-configure-multiple-ssl-certificates-for-a-single-app
Simply put:
I created a shell application customer1-endpoint on Heroku
I added the SSL-Endpoint addon & installed the certificated bought
from GoDaddy on the shell application
I copied the endpoint (DNS target - abc.ssl.herokudns.com) from the Heroku CLI to theCNAME
record of GoDaddy
I added the custom domain (customer1.com, www.customer1.com) to my main production (xyz.com)
Heroku app
When I try to access https://www.customer1.com/ I receive a "No such app" message on Heroku.
Any ideas what's going on wrong?
For anyone coming through Google, my issue was that I had my SSL-endpoint in a different region than my main app. This approach works, make sure that both apps are on the same region.
SSL Endpoint is deprecated as of July 31st, 2021.
I am very afraid of making some modifications on the server. Because the server is working fine with the current settings.
I will to explain: The server is an Amazon EC2 instance. In this instance I have:
ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
rails -v: Rails 4.2.3
nginx -v: nginx/1.8.0
passenger -v: Phusion Passenger version 5.0.10
I have 1 Load Balancer, which has a listner:
Load Balancer Protocol: HTTPS
Load Balancer Port: 443
Instance Protocol: HTTP
Instance Port: 80
SSL Certificate: Using a certificate issued on Amazon Certificate Manager. I have the domain and all sub-domains (wildcard).
This settings allow me to:
Have the main domain to the app:
www.testname.com and testname.com to use as institutional pages (About, Price, Terms etc.);
app.testname.com for users to use the system;
Have how many subdomains I want, because EACH USER has an specific page:
user1.testname.com
user2.testname.com
user3.testname.com
etc.
All work is dynamic. The user registers on the app and has a subdomain. In this subdomain, the user can access via https://. It works fine.
Users WANT to use their own domain, off course. This part is easily resolved. I create a CNAME record in the custom domain, pointing to the our subdomain, like that:
usercustomname.com CNAME TO user1.testname.com
It works fine. BUT, the big problem is: 'https://' not working on its custom domain name, obviously. Our certificate allows the domain testname.com and its subdomains.
With Amazon Certificate Manger I can import custom certificates. And then, using the awesome rails-letsencrypt gem, I can generate Let's Encrypt certificates to the custom domain names.
But the Amazon Load Balancer, in the https listner, allow to use only 1 certificate! This is very bad, because I can to have a lot of certificates, but using only one in the whole server.
Recently, Amazon releases multiple certificates to Application Load Balancer using SNI. I can to migrate my Classic Load Balancer to the Application Load Balancer, but this not solves the problem, because the max certificates limit is 25 per Load Balancer. Is very low.
The solution I found is to create an Amazon Elasticache to run a REDIS server. And then, using ngx_mruby to get the certificate. I plan it like that:
Change the https listner like that:
Instance Protocol: HTTPS
Instance Port: 443
Remove the certificate issued in Amazon Certificate Manger
Install mruby
Install ngx_mruby
Using rails-letsencrypt gem, create 1 certificate for each institutional subdomain (app, www, empty subdomain) AND create 1 certificate for each user subdomain.
When a certificate is created, the rails-letsencrypt gem can save the certificate in REDIS.
Using ngx_mruby, listen the port 443, the certificate for the domain is picked up on redis.
Apparently, this will work. The logic seems right but I do not know in practice.
My questions are:
1) To install mruby, I will follow these steps. After install, will impact in the current ruby installation? Will I need to change the system code already developed as a mruby installation result?
2) Using REDIS will affect something in the current server? Despite the $ 12/month increase in Amazon's account, I believe that using REDIS will not influence the current server at all.
3) Do you think that what I planned to solve the Amazon certificate limit will works?
Sorry the big text. I'm not server specialist. This is the unique server I have, AND without backup. And I'm afraid to break the server with no way to fix.
Tks and I appreciate any help :)
EDIT 1
Using ngx_mruby and redis with Amazon Classic Load Balancer will not works, beacuse the listner https requires one certificate. So even if I generate the certificates and connect ngx_mruby with redis, before it, the Load Balancer will respond with the default domain certificate.
But, I found a way (it works):
All customers URL have this structure:
customer1.myapp.com
customer2.myapp.com
customer3.myapp.com
All requisitions are using https listner via Load Balancer and has no way to using multiple ssl certificates in classic load balancer. Then, I did:
Register another domain, like myapp.net
Using Amazon Route 53, I created another hosted zone and I point the domain DNS records to this hosted zone
In Amazon Route 53, I created these records:
Type A point to the instance IP
Type CNAME with name * and value myapp.net
I setup my Rails App to identify the domain myapp.net. With this, the access to customer1.myapp.com AND customer1.myapp.net calls the same resource, BUT, customer1.myapp.com uses the lister https in the load balancer and customer1.myapp.net don't.
I just save the SSL CERTIFICATE which was generated by the gem in the folder /etc/nginx/ssl/ and then, create a virtual host in NGINX. After that, FINALLY WORKS!
Now, I have to dicover HOW TO SAVE the certificate in the folder and HOW TO CREATE a virtual host in NGINX, using RAILS. The manual process is described in my another question.
You need to recompile your Nginx to support ngx_mruby, we didn't suggest using dynamic module feature now. Because there is no use case with it when people using ngx_mruby. And your ruby version in your system didn't be changed.
If you want to enable Redis as the cache for your Rails, it may influence your website. But if you only create a new ElasticCache instance, there no other side effect for you. And I think to use ElasticCache you will get better optimize than host it by yourself.
I didn't try it, but it may work. Maybe others can answer your question.
I missed the end date of my SSL certificate few days ago but I did buy the renew last month. My app runs with Ruby on Rails using Heroku and CloudFront for the assets. My SSL certificate come from RapidSSL.
Here is the process I did:
I got the RapiddSSL key by email that i store in a crt file
I ran the Heroku command line heroku certs:update cert.crt server.key -- app remote production
The command line heroku certs --app remote production results with a trusted status but when I open the URL browsers warns about that untrusted certificate.
At the same time none of application assets stored on CloudFront are available (net::ERR_INSECURE_RESPONSE).
I asked for help on Heroku assistance, they told me that the SSL certificate for the app is OK but it's seems to need an update for assets certificate.
So I went to AWS console in aim to find CloudFront SSL configuration, I ended on ACM console page to give the RapidSSL certificate to resolve the problem but I cannot be sure to take the right files to do this.
What I need is to solve the access to the website and to the associated assets to ensure trust of my customers.
What did I wrong? Am I missing something?
Thanks for any help you can provide!
Generally net::ERR_INSECURE_RESPONSE error occurres in SSL certificate when the browser found the mixed content warning. Which simply means few of your content is active with HTTP and others are active with HTTPS.
Please check your content portion, if you find any content which is active with HTTP, turn in into HTTPS.
It sounds like maybe the issue might be an outdated certificate on CloudFront.
If so, you can either upload your RapidSSL certificate using aws iam upload-server-certificate, or (I'd prefer) request a new certificate that you'll only use with CloudFront from AWS Certificate Manager. The latter is free, and AWS will autoupdate the certificate before it expires.
You can start this simple and quick process by going to your CloudFront distribution in AWS Console, and clicking Edit > Request or Import a Certificate with ACM
Once that is done, you will be able to choose the certificate from the Custom Certificate dropdown at the same location (screenshot).
Note: If you upload your RapidSSL certificate, it must be uploaded to eu-east-1 (N. Virginia) in order to be used with CloudFront. Requesting ACM Certificates must also be done in this region
If you provide an URL to your website, it's easier to confirm this issue.
I scribbled some notes on this here with more details on uploading your own/RapidSSL certificate.
This might sound a little stupid, but I am trying to test out IOS device enrollment and I want to use a trusted CA(eg Verisign,Comodo) signed certificate to add to my localhost rails webrick server. I do not want to add a self signed certificate because I need to test a very particular scenario. Is there a way to do this? I know domain controller validation will fail if I try to create the CA signed certificate on a website like Comodo and I cant use a certificate I already have for my production server since its bound to that domain. Is there a way to workaround this and create a production level SSL certificate and use it for development server?
You can use your existing production certificates for your local setup, and use a local DNS server (such as BIND) to resolve the domain name to your local ip address instead of your production servers ip address.
Update:
Install BIND (or whatever DNS server software you like) on some computer on your network, let us say 192.168.100.10.
Add www.myprodserver.com to resolve to 192.168.100.100.
Now on your local machine (assume its a MacBook), go to your network settings and add 192.168.100.10 as the only DNS server.
Now run ping www.myprodserver.com and make sure it is resolving to 192.168.100.100.
This is almost equivalent (but not exactly) to using /etc/hosts file to resolve domain names to ip addresses .
(all ip addresses and domain names used above are just for example)
Also, I think you will need something better than WEBRick to handle SSL certificates. You can use nginx to offload SSL and proxy to WEBRick
I have
config.force_ssl = true
in my environment/production.rb file so as to make every request sequre with ssl and https.
I came to know that SSL can't be enabled in development mode. So, I started my thin web server in production mode and when I went to
https://127.0.0.1:3000
it's the same as the development mode(SSL connection error). Tried almost all the links of first 6 pages fetched by google. Anybody have solution to my problem??
P.S. I'm working on windows and I have client authentication certificate.
The problem you described is related to using a self-signed certificate.
SSL certificates relies on a chain of trust, where the root CA's (Certification Authority) are at the top.
To understand more how it works, the Wikipedia entry on SSL provide a good insight. For Self-Signed certificates there's also an entry at Wikipedia.
To solve you issue you can have a self-signed certificate (be aware of the security issues), but your users will be always prompted for an action.
Another option is to apply for a certificate on CertCA since some Linux distributions have them on root CA's.
The last and most reliable option is to acquire a certificate.