I have two Heroku app tiers (a production and a staging app)
My DNS is configured to point to either, depending on the subdomain.
*.example.co -> app-production
*.staging.example.co - > app-staging
SSL
SSL add on is enabled for both. The same exact SSL wildcard certificate is uploaded to both.
> heroku certs --remote production
Endpoint Common Name(s) Expires Trusted
---------------------------- ------------------------ -------------------- -------
tokushima-XXXX.herokussl.com *.example.co, example.co 2018-10-10 00:00 UTC True
> heroku certs --remote staging
Endpoint Common Name(s) Expires Trusted
---------------------------- ------------------------ -------------------- -------
hiroshima-XXXX.herokussl.com *.example.co, example.co 2018-10-10 00:00 UTC True
Domains
Each has the corresponding domains also configured in Heroku
> heroku domains --remote production
=== app-production Custom Domains
Domain Name DNS Target
----------------------------- -------------------------------------
*.example.co tokushima-XXXX.herokussl.com
example.co tokushima-XXXX.herokussl.com
> heroku domains --remote staging
=== app-staging Custom Domains
Domain Name DNS Target
-------------------- ------------------------
*.staging.example.co app-staging.herokuapp.com <-- should this be the SSL endpoint?
Question
All the above works fine in terms of routing.
foo.example.co visits my production app
foo.staging.example.co visits my staging app
However on staging, SSL does not work. I get a "certificate untrusted" error, even though it's the same certificate.
I strongly suspect it's because when configuring the Staging Domains, the DNS target should be an SSL endpoint, not the direct heroku app URL.
But I have no way to edit that. If I do
> heroku domains:add *.staging.example.co --remote staging
It automatically adds the DNS target for me. On Prod it automatically added the SSL endpoint.
Is there a way around this?
This is how ssl wildcard certificates behave: a certificate for *.example.com is valid for foo.example.com but not bar.foo.example.com.
This is specified in rfc 2818, which says
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com
Related
I am having difficulty figuring out how to publish my rails app on Heroku.
My details are:
Rails 5 app on a paid dyno
Heroku SSL (not SSL Endpoint - given Heroku advises using SSL Endpoint only for legacy clients).
Domain name provider: 123-reg
SSL from Let's Encrypt plugin (rails gem).
In this post, I use: "mycustomdomainname" for the domain name that I own and I use "herokualias" to mean the name of the app that heroku generated for an alias to my app.
My issues are:
Production Check
The heroku production check shows an error message that says:
FAILED DNS configuration
Your DNS is not configured correctly. Your domain "mycustomdomain.com"'s ALIAS or ANAME record should point to herokualias.herokuapp.com.
FIRST ISSUE The production check warning says I need to point my dns to a herokuapp.com name. The heroku SSL docs say that I should point my dns to 'herokudns.com.' I only have herokudns.com records on my DNS. I'm not sure why the production check tells me to make 'herokuapp' records (since the production check also says that Heroku SSL check has passed.
The warning goes on to say:
When SSL is required, provision an SSL Endpoint and, for us apps, point your CNAME records to endpoint-name.herokussl.com (this change is not required for EU apps). Any other configuration will result in reduced availability.
In turn, the SSL Endpoint page goes on to say:
Check out our new free SSL offering, Heroku SSL. We only recommend using SSL endpoint for supporting legacy clients.
My conclusion from this series of documentation is that I should be trying to follow the Heroku SSL instructions (instead of the Heroku Endpoint instructions).
SSL
The Production check says: PASSED Heroku SSL
However, none of the checks that the Heroku SSL documentation tells me to try are passing.
The instructions on the Heroku SSL page say:
Change your DNS for all domains on your app
Verify your DNS settings by running dig www.yourdomainname.com cname +short. If it returns www.yourdomainname.com.herokudns.com then you have set it up correctly. If you are using an ALIAS or ANAME record, you can verify that based on the DNS provider. For instance, DNSimple will return a TXT record showing how your domain’s ALIAS is set-up.
https://devcenter.heroku.com/articles/ssl
I try this in my terminal and get the correct response.
Things I've checked:
host www.mycustomdomainname.com
returns:
Host www.mycustomdomainname.com not found: 3(NXDOMAIN)
host mycustomdomainname.com
returns:
mycustomdomainname.com mail is handled by 5 ALT2.ASPMX.L.GOOGLE.com.
mycustomdomainname.com mail is handled by 10 ASPMX3.GOOGLEMAIL.com.
mycustomdomainname.com mail is handled by 5 ALT1.ASPMX.L.GOOGLE.com.
mycustomdomainname.com mail is handled by 10 ASPMX2.GOOGLEMAIL.com.
mycustomdomainname.com mail is handled by 1 ASPMX.L.GOOGLE.com.
dig www.mycustomdomainname.com cname +short
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26058
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www..mycustomdomainname.com. IN CNAME
;; ANSWER SECTION:
www..mycustomdomainname.com. 14248 IN CNAME www.mycustomdomainname.herokudns.com.
;; Query time: 31 msec
;; SERVER: 175.45.91.201#53(175.45.91.201)
;; WHEN: Mon Oct 31 10:04:15 2016
;; MSG SIZE rcvd: 73
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47492
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;short. IN A
;; AUTHORITY SECTION:
. 69201 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016103001 1800 900 604800 86400
;; Query time: 4 msec
;; SERVER: 175.45.91.201#53(175.45.91.201)
;; WHEN: Mon Oct 31 10:04:15 2016
;; MSG SIZE rcvd: 98
heroku domains returns:
=== herokualias Heroku Domain
herokualias.herokuapp.com
=== herokualias Custom Domains
Domain Name DNS Target
───────────────── ───────────────────────────────
mycustomdomainname.com mycustomdomainname.com.herokudns.com
www.mycustomdomainname.com www.mycustomdomainname.com.herokudns.com
heroku certs info
Certificate details:
Common Name(s): www.mycustomdomainname.com
Expires At: 2017-01-16 23:44 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2016-10-18 23:44 UTC
Subject: /CN=www.mycustomdomainname.com
SSL certificate is self signed.
openssl s_client -connect www.mycustomdomain.com.herokudns:443 -servername
www.mycustomdomain.com
returns
gethostbyname failure
connect:errno=0
DNS configuration
My 123-reg config has 2 cname records being:
www.mycustomdomainname.herokudns.app.
mycustomdomainname.herokudns.app.
123-reg does not provide any support for heroku. I can't get any help from them to see if this requires any additional records on the DNS for this to work.
I have previously asked questions on SO here and here to try and get help to publish on heroku. I wasn't able to get any advice: Rails - Configuring DNS to host with Heroku (123-reg)
My questions on this topic have previously been voted down and someone has been kind enough to explain that this forum is not a place to ask questions about configuring deployment. I was referred to Server Fault to try to find help. I did try, but wasn't able to find help. I'm pressing on with this attempt to find help because I've seen others trying to solve similar problems on this forum (here).
Please can anyone refer me to step by step instructions for publishing on heroku with this config. I think the Heroku documentation is inherently conflicting. I can't find a way through this.
You've got stuff almost setup properly.
If your two domain names are
www.mycustomdomainname.com
and
mycustomdomainname.com
You want to point DNS as a CNAME/AlIAS record to www.mycustomdomainname.com.herokudns.com and mycustomdomainname.com.herokudns.com respectively.
What you've listed out is point to www.mycustomdomain.herokudns.app (so you're missing the .com after your domain name and you have a .app instead of .com at the end).
As for production check, I'll work with our product team to get that fixed up.
I am trying to figure out how to publish my app on heroku. My DNS is with 123-reg. 123-reg does not provide any support for heroku deployment and vice versa.
I have previously asked this question (voted down and mocked in the comments)
Rails, Heroku - configuring 123-reg domain for heroku
I'm asking again in the hope of finding some substantive help on how to get this working.
Currently, when I try to render the page using my custom domain name, I get an error that says:
This site can’t be reached
www.mydomainname.com ’s server DNS address could not be found.
Try running Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN
When I try the following in the terminal, I get the responses noted below:
host www.mycustomdomainname.com
Host www.mycustomdomainname.com not found: 3(NXDOMAIN)
host https://www.mycustomdomainname.com
Host https://www.mycustomdomainname.com not found: 2(SERVFAIL)
dig www.mycustomdomainname.com cname +short
myherokualias.herokudns.com
heroku domains returns the heroku alias both with and without the www prefix.
In my DNS, I have a CNAME record with:
DNS ENTRY TYPE PRIORITY TTL DESTINATION/TARGET
www CNAME mycustomdomainname.herokudns.com.
Apart from that I have MX and TXT records for my email account.
Can anyone see what I need to do to get the page to render using my custom domain name?
When I try:
curl -vI https://www.mycustomdomainname.com
* Rebuilt URL to: https://www.mycustomdomainname.com/
* Could not resolve host: www.mycustomdomainname.com
* Closing connection 0
curl: (6) Could not resolve host: www.mycustomdomainname.com
I'm lost for things to try to get this working
HEROKU SETTINGS
I can see from inspecting my heroku Production Check, that I have the following issues:
FAILED DNS configuration
Your DNS is not configured correctly. Your domain "mycustomdomain.com"'s ALIAS or ANAME record should point to ancient-water-74339.herokuapp.com.
However, it also says:
PASSED Heroku SSL
The Heroku SSL instructions say:
Change your DNS for all domains on your app
Verify your DNS settings by running dig www.yourdomainname.com cname +short. If it returns www.yourdomainname.com.herokudns.com then you have set it up correctly. If you are using an ALIAS or ANAME record, you can verify that based on the DNS provider. For instance, DNSimple will return a TXT record showing how your domain’s ALIAS is set-up.
You should note that it may take up to 24 hours before your DNS is fully propagated globally.
To me, that means I'm supposed to replace the reference to 'herokuapp' with a reference to 'herokudns'. Also, I am reading these instructions to require that I replace 'ancient-water-74339' with a 'mycustomdomainname'.
I have done this (as I understand the instructions) so that the CNAME on my DNS now points to 'mycustomdomainname'.herokudns.com.
The heroku production check says that this is incorrect. Am I supposed to have 2 CNAME records (one using the heroku alias.herokuapp) and another using 'mycustomdomainname'.herokudns?
I tried to use the LetsEncrypt_plugin gem for rails. I cannot verify whether there is an error in that config because that gem does not provide support for heroku.
Can anyone see what I'm supposed to do to get out of this configuration hell?
The heroku production check instructions for DNS with SSL give instructions to provision an SSL Endpoint. The SSL Endpoint instructions say they are only for legacy clients (I don't know what a legacy client is), but that page suggests using the Heroku SSL instead. Those instructions say to use 'herokudns.com' on the end of the app name.
I can't seem to get any combination of these instructions to work.
Checklist
On your DNS provider make sure your CNAME record is properly set:
Host: *
Points To: yourapp.herokussl.com
How to add a CNAME record in 123-reg
On Heroku go to 'Resources' and make sure you have the SSL add-on installed.
On Heroku go to 'Settings/Domains and certificates' and make sure you have your custom domains correctly set:
Domain Name: *.yourdomain.com
DNS Target: yourapp.herokussl.com
Please note the url on herokuapp.com and herokussl.com may differ. If you are using an SSL certificate you'll have to use the latter.
Gotchas
Using the heroku toolbelt make sure your SSL certificate is still trusted
heroku certs:info --app yourapp
Your registrar and your DNS provider may differ, this may lead you to be editing your CNAME records on the incorrect place.
To make sure you are at the right spot perform a whois on your domain:
whois yourdomain.com | grep 'Name Server'
If your domain is actually pointing to 123-reg, the output should be:
Name Server: ns1-123-reg.co.uk
Name Server: ns2-123-reg.co.uk
If the output is something else, then you probably should be setting your CNAME records elsewhere.
Hope this helps <3
After pointing your domain to Heroku app on your Heroku dashboard, go to settings tab and scroll down to custom domain. There click on ADD DOMAIN and add your custom domain.
According to your explanation, the CNAME record is set up correctly for the domain.
Please make sure the domain is added from the Heroku end properly. This guide may help you https://devcenter.heroku.com/articles/custom-domains
Since Heroku is read-only and does not allow sudo, what do I need to do to be able to install the LetsEncrypt.org certificate on their server for my app?
If I have already set config.force_ssl = true does that matter?
I read the blog post in the first answer here, but I didn't want to pollute my code-base with ACME urls & logic. So I did something similar, but used DNS domain validation ...
With certbot, specify DNS as your preferred challenge:
sudo certbot certonly --manual --preferred-challenges dns
After a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain:
Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:
CxYdvM...5WvXR0
Once this is deployed,
Press ENTER to continue
Your domain registrar probably has its own docs for deploying a TXT record. Do that, and go back to certbot and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot will save it for you to upload to heroku.
See my own blog post for more detail.
Here are two bash functions that you can use to automate the process for you
function makessl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:add --type=sni /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
function renewssl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:update /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
They take an arguement for the domain name and as long as you run them from within your heroku app folder you will not have to specify an --app NAME
Example: makessl www.domain.com
Example: renewssl www.domain.com
Combine this is #Eric's answer and you're good to go:
heroku certs:auto:enable
FYI, Heroku now offers automated certificate management w/ Let's Encrypt if you run a paid dyno. You can enable it with:
heroku certs:auto:enable
More info:
https://devcenter.heroku.com/articles/automated-certificate-management
Edit: This answer no longer applies.
It was written before Heroku implemented native support for LetsEncrypt. Leaving the rest for posterity, but this is no longer necessary. Use #Eric's answer now.
Installing the initial certificate
You can use certbot in manual mode to generate the challenge response, modify your site to return that response, then finally complete the certbot manual process.
See this blog post by Daniel Morrison, or the linked answer under Certificate Updates below, for more details.
Certificate updates
As #Flimm mentioned, and as is mentioned in the linked blog post, you'll have to update this every 3 months until Heroku provides better support for LetsEncrypt. You can make that process smoother (no code changes to upload) using an environment variable as described in this answer (Node/Express but the concepts are the same): https://stackoverflow.com/a/40199581/37168
Sabayon
There is a GitHub project that can automate all of this for you by setting your Heroku environment variables. It's a tiny webapp you install as another Heroku app that in turn configures your primary app. I haven't tried it yet but am planning to use it instead of updating my cert next time: https://github.com/dmathieu/sabayon
The default recommendation of Heroku is SSL using Server Name Indication
(SNI), which is free. Since you already obtained your certificate and key, you can add them by:
heroku certs:add <cert>.pem <key>.key
If you need to support legacy browser clients which do not support SNI use the Herkou SSL Endpoint addon which costs $20/mo:
Add that addon by running
heroku addons:create ssl:endpoint
And then add your LetsEncrypt.org certificates:
heroku certs:add <cert>.pem <key>.key
the best way can be to assign the new ssl domain(that starts with https) to your domain which automatically overrides the non-http domain
I created a certbot plugin that uses the Heroku CLI to automate authentication and installation of Let's Encrypt certificates: https://github.com/gboudreau/certbot-heroku
I only have an example that uses the php-nginx Heroku buildpack, but reading that example and finding the equivalent for other buildpacks should be easy enough.
Pull Requests are welcome to help others!
I have deployed a Azure cloud service with reserved IP using following configuration:
<InstanceAddress roleName="WorkerRole">
<Subnets>
<Subnet name="default" />
</Subnets>
</InstanceAddress>
<ReservedIPs>
<ReservedIP name="MyReservedIP" />
</ReservedIPs>
But when I'm trying to update this deployment and deploying to staging slot, I'am getting following:
Error: The Reserved IP MyReservedIP is currently in use by Deployment xxxxx belonging to HostedService xxxxx. Http Status Code: BadRequest OperationId:xxxx
Apparently when deploying to a staging slot you need to use a different reserved ip name. For instance:
Production worker has ReservedIp "ReservedIpProd"
Staging worker has ReservedIp "ReservedIpStaging"
When you deploy to staging the IP in use will be the staging IP. When you then swap staging to production the codebase will be changed but the reserved IPs stay attached to the slots they were originally assigned to.
For instance:
VIP swap staging to production
Your production deployment (which was previously staging) retains "RevervedIpProd"
Your staging environment (which was previously production) retains "ReservedIpStaging"
See the second comment here on the Azure Feedback Forum
I would suggest you try it this way and verify whether it works.
A comment to the name of the reserved IPs:
You must use exactly the same name which is shown by the PowerShell command Get-AzureReservedIP in the first line of every result which is named "ReservedIPName". First use Add-AzureAccount to log in into your Azure account in PowerShell.
For example in my case it is a concatenation of the Resource group ("abc") and the name of the reserved IP ("defIP"). => "Group abc defIP"
ServiceConfiguration.myService.cscfg:
<ServiceConfiguration serviceName="mysvc" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="5" osVersion="*" schemaVersion="2015-04.2.6">
...
<NetworkConfiguration>
<AddressAssignments>
<ReservedIPs>
<ReservedIP name="Group abc defIP" />
</ReservedIPs>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
Problem: When entering www.domainname.com in the browser, I am redirected to http://my domainname.com and it says that the site is not trusted. I have followed the Heroku docs, but it still fails.
I am running Rails 3+ on Heroku Cedar Stack and added the SSL-Endpoint addon, uploaded the certs and private key, and forwarded the CName in the DNS to the NAME.herokussl.com url that was given to me via SSL-Endpoint. After running heroku certs, it says Trusted: true. I have waited 24+ hrs after setting the CNames in Namecheap, but still cannot use the https secure address. Does anyone have a fix?
Adding the following line to my production.rb file fixed the issue for me.
#app/config/environments/production.rb
config.force_ssl = true