Heroku ACM Letsencrypt failure/waiting with rate limits - ruby-on-rails

I have a site with multiple domains on Heroku, using Gandi for DNS. Using ACM on Heroku I got a lot of failures for the apex domains and tried again a few times - now my certs:info says "no SSL available" and certs:auto is stuck at "Waiting".
I also tried using different websites that are linked on letsencrypt and wanted to generate files and challenges, but did at some point get no challenge keys for my domains anymore.
Question: How can I check whether my requests are rate limited? Heroku does not show this info (just "waiting"). Thank you.

Related

Custom Heroku domain will not reflect upgrade from HTTP to HTTPS

I am using Automated Certificate Management that Heroku makes available for apps with paid dynos. my_app.herokuapp.com accurately reflects the SSL certificate and loads as a HTTPS:// page.
But my custom domain, www.my_app.com doesn't load as HTTPS://
My custom domain is from Google Domains and here is the CNAME mapping -
Custom Resource Records
www is mapped to www.my_app.com.herokudns.com.
Subdomain forward
my_app.com --> https://www.my_app.com
Any thoughts on where I could be going wrong? I can't seem to find step-by-step instruction anywhere, please point me to any resources you all found to be useful.

Rails tenanted app with CloudFlare and subdomains

I'm building a tenanted Rails application on Heroku which uses subdomains for each tenanted instance. The problem is I can't seem to get CloudFlare to properly cache a subdomain.
I have my Application hosted on heroku at say whatever.herokuapp.com
And using CloudFlare I'm pointing my main application at heroku's CNAME (whatever.herokuapp.com) and that works fine.
I'm using a wild cards *.mydomain.com on Heroku and then using CloudFlare again to point at them.
So say I create an app myinstance.mydomain.com on CloudFlare -> whatever.herokuapp.com
because I'm using the *.mydomain.com on Heroku it works fine.
BUT when I try to turn on the Acceleration (CloudFlare caching) it immediately breaks and all I see is a CloudFlare error Error 1001 telling me:
Most likely: if the owner just signed up for CloudFlare it can take a few minutes for the website's information to be distributed to our global network.
From their help desk:
Fundamentally in a standard set up the domain needs to be added to
CloudFlare in order for us to understand how to route traffic for that
domain.
If you wanted a setup where anybody in the world could CNAME to your
CloudFlare configuration, that is possible but it's an Enterprise
feature. We call it "Managed CNAME" - if that's something you're
interested in do let me know and I can put you in touch.
FYI, CloudFlare Enterprise averages at $5,000 a month.
CloudFlare is great in that it just works without much customization starting at zero cost, but unless your multi-tenanted app is for Bank of America or other Fortune 500 company I'd suggest something like Fastly ($5-50/month) or some other DIY caching solution that allows you to setup caching as you need rather than a one-size-fits-all top down solution.
https://devcenter.heroku.com/articles/fastly
Works directly with Heroku but there might be other solutions that work equally well.
That error can also occur if you're pointing a domain/subdomain not on CloudFlare to a domain that is on CloudFlare (creates a DNS resolution lookup error). I would probably contact CloudFlare support for additional assistance and troubleshooting.

Heroku PointDNS issues

Can't seem to find a solution to this issue. I recently switched hosting over to Heroku and have needed to set up some custom DNS to change email MX records to my webmail host.
I configured them, however, it has been 48 hours and the emails are still not working.
It also says "Domain not resolving" in PointDNS, however, I can't seem to understand why and Google isn't helping out.
Here's a img of my setup: ! http://i.stack.imgur.com/oh9j9.png

Cloudflare + Heroku SSL

I have a rails app that is running on heroku and am using Cloudflare Pro with their Full SSL to encrypt traffic between: User <-SSL-> Cloudflare <-SSL-> Heroku, as detailed in: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ .
I am also using the rack-ssl-enforcer gem to force all http requests to go through https.
This is working properly, except I have the following issues, by browser:
1) Firefox. I have to add a security exception the first visit to the site, getting the "This site is not trusted" warning. Once on the site, I also have the warning in the address bar:
2) Chrome: page loads first time, but the lock in the address bar has a warning triangle on it, when clicked displays:
Your connection is encrypted with 128-bit encryption. However, this
page includes other resources which are not secure. These resources
can be viewed by others while in transit, and can be modified by an
attacker to change the look of the page. The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and
uses ECDHE_RSA as the key exchange mechanism.
Safari: initially loads with https badge, but it immediately drops off
Is there a way to leverage Cloudflare SSL + piggyback of Heroku native SSL without running into these security warnings? If not, I don't see much value in the configuration.
My apologies for slinging erroneous accusations against Cloudflare and Heroku :-)
Turns out the issue was not the fault of either, but instead that images on the app (being served from AWS S3) were being served up without https.
If anyone runs into this situation, lessons learned across a wasted day:
S3 only lets you serve up content via https if you serve from your bucket's dedicated url: s3.amazonaws.com/your-bucket-name/etc..
a) I tried setting the bucket up for static website hosting, so I could use the url "your-bucket-name.your-url.s3-website-us-east-1.amazonaws.com/etc...", and then set up a CNAME within my DNS that sends "your-bucket-name.your-url" to "your-bucket-name.your-url.s3-website-us-east-1.amazonaws.com/etc...", to pretty up urls
b) this works, but AWS only lets you serve via https with your full url (s3.amazonaws.com/your-bucket-name/etc..) or *.s3-website-us-east-1.amazonaws.com/etc...", which doesnt work if you have a dot in your bucket name (your-bucket-name.your-url), which was required for me to do the CNAME redirect
If you want to use AWS CDN with https, on your custom domain, AWS' only option is CloudFront with a SSL certificate, which they charge $600/mo, per region. No thanks!
In the end, I sucked it up and have ugly image URLs that looks like: https://s3-website-us-east-1.amazonaws.com/mybucketname...", and using paperclip, I specify https: with ":s3_protocol => :https," in my model. Other than that all is working properly now.

need a crash course in HTTPS / SSL for Rails

I've got our Ruby on Rails app up and running on Heroku using HTTP. Now it's time to use HTTPS during the login process and for all transactions after the user is logged in. But I'm not sure where to start.
configuration
We're using:
Ruby (1.9.2)
Rails (3.0.5)
Devise (1.5.3)
Our domain (registered by GoDaddy) is oursite.com (not its real name), which resolves to oursite.herokuapp.com. I want secure transactions to be performed in a subdomain https://secure.oursite.com. I've purchased an SSL certificate from GoDaddy, created the key files, signed up for the Zerigo DNS service and set oursite.com nameservers to point at Zergo's servers. And on Heroku, I've done:
heroku domains:add secure.oursite.com
heroku ssl:add final.crt site.key
heroku addons:add ssl:hostname
the questions
If a user arrives at our site under http://oursite.com, how (and when) do I switch to https://secure.oursite.com?
How do I enforce using https for any secure transaction (e.g. submitting a password)?
How does one test this stuff using localhost:3000?
Concrete answers, general answers, and pointers to tutorials and examples are equally welcome. Thanks!
First:
redirecting from http://example.com to https://example.mysite.com
... is a very specific question that supersedes this very general question. I'll summarize the best bits of info I found in the last 24 hours, as it may be helpful to someone else.
The Heroku article on SSL is a must-read if you're deploying on Heroku.
Heroku also has an article describing how to purchase an SSL certificate from a general vendor as well an article describing how to purchase an SSL certificate from GoDaddy.
I was stuck for a while trying to configure the CNAME records for my Zerigo DNS service. The punch line is that if you create your Zerigo account using the Heroku dashboard, then you must configure your CNAME records using the Heroku dashboard as well. Gory details listed here.
If you're planning on upgrading to Rails 3.1, this is a good time to do so, since it has a built-in force_ssl method that is a clean replacement for various add-in gems (notably ssl_requirement).
Having said as much, the implementation of ssl_requirement in https://github.com/rails/ssl_requirement/blob/master/lib/ssl_requirement.rb is worth looking at, just to see how it uses redirect_to and the request object.
Simone Carletti has a comprehensive blog entry Configuring Rails 3 to use HTTPS and SSL, covering both Rails 3.0 and Rails 3.1.
Hope this is helpful...
I would have a look at ssl_requirement. This allows you to secure various parts of your application thus forcing you to only serve certain pages over HTTPS.
https://github.com/rails/ssl_requirement
With local development, you'll need to setup some sort of Apache / NGinx setup with a locally signed cert bolted on. A quick google uncovered this:
http://www.subelsky.com/2007/11/testing-rails-ssl-requirements-on-your.html

Resources