I just bought an SSL certificate for my Heroku-deployed app. Following their instructions, I downloaded the certificate and private key, saved them in server.crt and server.key files (with some RapidSSL CA deal thrown in there), and am now planning on pushing and deploying. The worry is, my github repo is public, and I feel like it's a bad idea to push my "private" keys and certificates to a public site. Sort of defeats the purpose of the SSL, right?
But how else do I get it to work without publishing this info? I'm new to SSL and coding, and I just very much do not want to throw away the security I just spent good money on because I don't understand how this all works.
Sorry if this question wasn't very code-y. Just didn't know where better to ask.
EDIT -- I'm looking at Heroku docs right now that say to add a Heroku SSL Add-On, and then just type
heroku certs:add server.crt server.key
to get heroku to pick up on the files and use the SSL Certificate. But that doesn't change the problem that I have two files in my PUBLIC repo with PRIVATE security info. Do I just add them to .gitignore or something?
You should not check any of the files that you created for the SSL into the source control (server.crt, server.key, etc.), nor push them to Heroku. As Heroku's documentation states, you should use the certs command line to add them once you have an SSL add on.
Heroku does not require you to push those two files to your repository. You can simply do heroku certs, and it will pick and upload them from your local folder. The repo isn't involved.
Related
I am trying to setup my own domain with an SSL certificate but I just can't get it right. Do I have to put as a DNS the app URL or the DNS generated when I add my domain? I am using GoDaddy and I have seen a lot tutorials saying some of them that you have to use the *.herokuapp.com DNS and other say that the DNS generated in Heroku.
Also, when I look for my app in Google it says that the certificate is not valid for *.herokuapp.com but the one I uploaded was for my personal domain!
At last, sometimes I get the error NET::ERR_CERT_COMMON_NAME_INVALID, can someone help me please?
Automatic Certificate Management (ACM)
The simplest solution doesn't even require you to buy an SSL certificate, but you do need a paid dyno on Heroku. The $7 hobby tier works fine.
Add the custom domain to your app's domains using the CLI or web interface:
heroku domains:add www.custom-domain.com
Run heroku domains to see what your Heroku DNS target is (this is probably your-app.herokudns.com—note that this is not a .herokuapp.com domain)
Add a CNAME record in your DNS registrar pointing to your DNS target
Enable ACM by running
heroku certs:auto:enable
Wait for your certificate to be generated and enabled
It takes approximately 45 - 60 minutes to fully generate a TLS certificate for custom domains on your application. You can view the status of the certificate that is generated for all of your custom domains by running:
heroku certs:auto
If your status says “DNS Verified”, the process is not finished yet. It means we have verified your domain status and are still in the process of submitting it to Let’s Encrypt. The process will be complete when it says “OK”.
Congratulations! Your site should now have ACM enabled.
ACM is powered by Let's Encrypt, a fantastic free service for adding HTTPS to the web.
Custom certificates
It is also possible to set up HTTPS on Heroku using a custom TLS certificate. But ACM is much easier, and that's what I recommend using.
The heroku keys:add is a command that comes up frequently when reading about heroku on the internet.
What does it do exactly?
It's used to upload your public key if you are using SSH instead of HTTP as your git transport.
If you don’t already use SSH and if you want to use SSH Git transport
on Heroku, you’ll need to create a public/private key pair to deploy
code. This keypair is used for the strong cryptography and that
uniquely identifies you as a developer when pushing code changes.
Documentation
I missed the end date of my SSL certificate few days ago but I did buy the renew last month. My app runs with Ruby on Rails using Heroku and CloudFront for the assets. My SSL certificate come from RapidSSL.
Here is the process I did:
I got the RapiddSSL key by email that i store in a crt file
I ran the Heroku command line heroku certs:update cert.crt server.key -- app remote production
The command line heroku certs --app remote production results with a trusted status but when I open the URL browsers warns about that untrusted certificate.
At the same time none of application assets stored on CloudFront are available (net::ERR_INSECURE_RESPONSE).
I asked for help on Heroku assistance, they told me that the SSL certificate for the app is OK but it's seems to need an update for assets certificate.
So I went to AWS console in aim to find CloudFront SSL configuration, I ended on ACM console page to give the RapidSSL certificate to resolve the problem but I cannot be sure to take the right files to do this.
What I need is to solve the access to the website and to the associated assets to ensure trust of my customers.
What did I wrong? Am I missing something?
Thanks for any help you can provide!
Generally net::ERR_INSECURE_RESPONSE error occurres in SSL certificate when the browser found the mixed content warning. Which simply means few of your content is active with HTTP and others are active with HTTPS.
Please check your content portion, if you find any content which is active with HTTP, turn in into HTTPS.
It sounds like maybe the issue might be an outdated certificate on CloudFront.
If so, you can either upload your RapidSSL certificate using aws iam upload-server-certificate, or (I'd prefer) request a new certificate that you'll only use with CloudFront from AWS Certificate Manager. The latter is free, and AWS will autoupdate the certificate before it expires.
You can start this simple and quick process by going to your CloudFront distribution in AWS Console, and clicking Edit > Request or Import a Certificate with ACM
Once that is done, you will be able to choose the certificate from the Custom Certificate dropdown at the same location (screenshot).
Note: If you upload your RapidSSL certificate, it must be uploaded to eu-east-1 (N. Virginia) in order to be used with CloudFront. Requesting ACM Certificates must also be done in this region
If you provide an URL to your website, it's easier to confirm this issue.
I scribbled some notes on this here with more details on uploading your own/RapidSSL certificate.
I'm digging into the SSL installation for my app and it seems that my "basic" questions for the "how to start an ssl config" didn't find a clear answer.
I use a frontend in node that calls an API running on Ruby on Rails.
My front app delivers a multiple subdomain front service. Both (back and front) are hosted on Heroku and DNS points to 1and1 management.
I found some first steps with Geotrust provided by 1and1 and another choice that goes to letsencrypt.
My questions are :
If I had to choose one, which one between the backend and frontend would welcome the certificate ?
I tried to install a (paid, ofc.) Geotrust certificate on 1and1 but it fails. Is it related to the CNAME 1and1 <-> Heroku complexity, or because I didn't install the key yet on the app (and I don't know how) ?
If I plan to use SSL on front, I found installation of letsencrypt quite confusing. Between the npm letsencrypt and the "getting started" of the official website, there's a gap. Should I really need the node package ? Or is the certbot quite enough for making it working ?
Lots of informations but clearly not really operational for me. I'm sorry, probably I miss a thing in my readings.
We use git for version control. Right now only my account seems to be able to deploy successfully to a remote server for several apps, but I don't know why. I would like to set it up so that deploying works for other people at my company, but I don't really have the full picture laid out in my head so I don't know what needs to be done.
To me it seems like whoever wants to deploy needs a: user account on the server, an account on github, and permission to pull...? However, other users seem to have the notorious Permission denied (publickey). fatal: The remote end hung up unexpectedly and other errors.
Can anyone provide a short list of what I need to do on the server (make an account, add ssh keys or something?) and git (ssh keys again? not sure) to get the deploy to work?
Capistrano assumes you can ssh into the server you are deploying to. You are probably using a communal apps, deployer, or some other app-specific user to deploy your app. This will be the user that is set in your deploy.rb file.
You will need to copy everyone's public key into the authorized_keys of whatever your deploying user is. That is just how Capistrano works.