Heroku SSL sometimes works, sometimes doesn't work - ruby-on-rails

I configured my Heroku app with SSL Endpoint from Heroku and bought the certificate from DNSimple. When I browse to my site, sometimes it shows up with the green https:// (on chrome) and other times (like when I click the home button for some reason) the https:// turns red and gets crossed out and the certificate goes back to Heroku's default one instead of the one I purchased. If then you click the lock (to see the SSL) it'll say Identity not verified. How come sometimes it works and sometimes it doesnt??
A few things I have configured
my application.rb says
config.force_ssl = false
but in my production environment I set that to true
config.force_ssl = true
Looking on Firefox in the technical details i get a
(Error code: ssl_error_bad_cert_domain)

Check your DNS configuration. I may be, for some reason, the domain is pointing to the Heroku standard app endpoint and not the Heroku SSL endpoint.
If this is happening randomically, make sure you don't have two DNS records associated to the same hostname. In fact, if you created two CNAME one pointing to the SSL endpoint and one to the standard endpoint, your request will be randomly routed to one of those hostnames.

Related

Getting SSL error after downgrading to free dyno on Heroku

I recently downgraded one of my Heroku apps to a free dyno - as a result, the SSL was revoked (cos I was using the SSL provided with a paid dyno). Now, when I visit my site URL, it gives me this error: ERR_SSL_PROTOCOL_ERROR
I've edited my production.rb file to set: config.force_ssl = false and published that code, but it still redirects my site to https when I try to connect on http.
Now, to complicate things:
This only applies to my custom domain - the .herokuapp.com domain works fine
It works fine on incognito mode on both the custom domain and the herokuapp.com domain
I've tried clearing the cookies and cache (for the last 7 days) and it still didn't work :/
Any ideas what I can do?
Edit:
In case it helps, I am using Chrome on Windows 10
Given that you are using Chrome, according to this answer, you need to follow these steps to stop Chrome from redirecting http:// to https://.
Anon is right about STS, but there is a way to specifically delete your domain from the set. Go to chrome://net-internals/#hsts. Enter 3rdrevolution.com under Delete domain security policies and press the Delete button.
Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.

How to use HTTPS on my customdomain on Heroku?

I'm using Ruby on Rails and AngularJs in my app. I deployed to https://myapp.heroku.com and everything works fine.
Now I bought a custom domain at GoDaddy.com and I set it up with Heroku to redirect to my app. Works fine. The problem is, instead of using HTTPS is using HTTP.
What are the steps to change this? I looked a few tutorials but they seem old and not updated.
According to Heroku the SSL certificate is automatically managed. Do I need to buy a certificate at GoDaddy.com?
Yes, you'll need to get SSL certs from godaddy or some other providers.
Then
go to your app settings in heroku
Look under "Domains and certificates" section
Configure SSL button.
Now just follow the steps and you'll be done.
When it comes to SSL these days, do not run out and purchase one. It can be a waste of your money if you have the skills to set up auto-renewal with Let's Encrypt.
I would recommend checking out SSL Endpoint and Automated Certificate Management from Heroku on setting up and automating the SSL process. There's a lot of information in there and will help keep your costs down.
If this is a bit complicated or you would prefer another plan of attack, you can also use the Let's Encrypt Plugin for Ruby on Rails
Also, don't forget to turn config.force_ssl = true on in your config/environments/production.rb file. This way, Rails will redirect all HTTP traffic to HTTPS. If you would prefer the browser to do the redirects instead of the server, you can have Rails, since you're on Heroku and not a customer Nginx server, respond with a Strict-Transport-Security header; added link so you know how to configure this guy appropriately in regards to your application.
Yes, most web hosting companies require you to purchase an ssl certificate. In the case of GoDaddy.com, check out their ssl certificate page.

CloudFlare SSL + Heroku custom domain not working

It's been more than 48 hours after I update my CloudFlare DNS setting to point to my Heroku app. The custom domain works fine now without https://.
But when I try the https:// version, I get this:
This is my Heroku custom domain setting:
This is my CloudFlare DNS setting:
This is my CloudFlare SSL setting:
And lastly, this is my CloudFlare page rules setting:
I follow this CloudFlare guide and not skip any step of it.
What am I missing here?
My app (http): http://beta.futurelab.my/
My app (https): https://beta.futurelab.my/
My Heroku app: http://future-lab-production.herokuapp.com OR https://future-lab-production.herokuapp.com
I want my app only available at https://beta.futurelab.my/ and force SSL sitewide.
Please help.
Seems like you added the CNAME record to Cloudflare but not enabled it. You need to click on the cloud icon placed on the right of your Cloudflare DNS record row. It should turn to orange when it is enabled.
Hope it helps.

Losing ssl when on some pages

I am using rails 4.2.2, deploying to production on Heroku and using the free level of Cloudflare for ssl. In my production.rb file I have set
config.force_ssl = true
If I am not signed in as a user, then ssl works and I see the padlock in the browser url bar, and I see it for all unsigned-in pages. However, once I log into the site, the padlock disappears on all signed-in pages. When I am signed in and chose a different signed-in page, the padlock temporarily appears as the page is being loaded but then disappears when the loading is complete. All this happens on both Chrome and Safari. I am not using Devise.
What could be causing this?
If you are using devise, take a look at this:
https://github.com/plataformatec/devise/wiki/How-To:-Use-SSL-(HTTPS)
Thanks to the support team at Cloudflare, I was able to solve this.
The signed in users can use a gravatar, but the gravatar_image_tag was not being used with the secure setting. This meant the image was being transferred using http not https. This could be seen by looking at the developer console, which was displaying an error indicating the page was displaying with mixed http and https. In order to fix this problem, I just used the secure setting for the gravatar_image_tag.
In my case, the page accesses to some in-secure asserts (ex: images in AWS S3). Chrome Developer Console shows that the page is mixed-secured. Change S3 image links from http to https make ssl works.

heroku multiple subdomains with ssl possible?

I have this app on heroku the main part of it is called app.example.com for which I have custom domains on heroku, and added endpoint ssl to it. it's all working. By the way, the original www.example.com is very old, and it is hosted somewhere else not on Heroku.
On heroku, I just
heroku domains:add app.example.com
Now, we have an order form for user to order stuff before they get to use the app. and the client wants to have its url as order.example.com instead of app.example.com/order. I looked up routing constraint in Rails from RailsCasts to handle this subdomain redirect, so all's good. then I add it to heroku's custom domains
heroku domains:add order.example.com
then I change the CNAME on the original host of www.example.com to have it point order.example.com to myapps.herokuapps.com (or something). And now accessing order.example.com does bring me to the order form! Just that the https part is showing the usual non-verified cert warning.
So I went ahead and got myself another godaddy certificate, but now when I try to add the certificate to heroku (I have done this once before for app.example.com's https)
heroku certs:add ~/ssl/combined.crt ~/ssl/nopass.key
Adding SSL endpoint to order-dev... failed
! only one SSL endpoint allowed per app (try certs:update instead)
So it seems like I can't actually have more than one SSL certificate per app, does that mean I can actually use what I have for certificate for app.example.com for order.example.com also? If so, what do I have to configure? Or am I doing this all wrong, if so, what should I have done instead?
Thank you for helping out here!
You should buy wildcard certificate for *.example.com as opposed to multiple certs.

Resources