heroku multiple subdomains with ssl possible? - ruby-on-rails

I have this app on heroku the main part of it is called app.example.com for which I have custom domains on heroku, and added endpoint ssl to it. it's all working. By the way, the original www.example.com is very old, and it is hosted somewhere else not on Heroku.
On heroku, I just
heroku domains:add app.example.com
Now, we have an order form for user to order stuff before they get to use the app. and the client wants to have its url as order.example.com instead of app.example.com/order. I looked up routing constraint in Rails from RailsCasts to handle this subdomain redirect, so all's good. then I add it to heroku's custom domains
heroku domains:add order.example.com
then I change the CNAME on the original host of www.example.com to have it point order.example.com to myapps.herokuapps.com (or something). And now accessing order.example.com does bring me to the order form! Just that the https part is showing the usual non-verified cert warning.
So I went ahead and got myself another godaddy certificate, but now when I try to add the certificate to heroku (I have done this once before for app.example.com's https)
heroku certs:add ~/ssl/combined.crt ~/ssl/nopass.key
Adding SSL endpoint to order-dev... failed
! only one SSL endpoint allowed per app (try certs:update instead)
So it seems like I can't actually have more than one SSL certificate per app, does that mean I can actually use what I have for certificate for app.example.com for order.example.com also? If so, what do I have to configure? Or am I doing this all wrong, if so, what should I have done instead?
Thank you for helping out here!

You should buy wildcard certificate for *.example.com as opposed to multiple certs.

Related

How to use HTTPS on my customdomain on Heroku?

I'm using Ruby on Rails and AngularJs in my app. I deployed to https://myapp.heroku.com and everything works fine.
Now I bought a custom domain at GoDaddy.com and I set it up with Heroku to redirect to my app. Works fine. The problem is, instead of using HTTPS is using HTTP.
What are the steps to change this? I looked a few tutorials but they seem old and not updated.
According to Heroku the SSL certificate is automatically managed. Do I need to buy a certificate at GoDaddy.com?
Yes, you'll need to get SSL certs from godaddy or some other providers.
Then
go to your app settings in heroku
Look under "Domains and certificates" section
Configure SSL button.
Now just follow the steps and you'll be done.
When it comes to SSL these days, do not run out and purchase one. It can be a waste of your money if you have the skills to set up auto-renewal with Let's Encrypt.
I would recommend checking out SSL Endpoint and Automated Certificate Management from Heroku on setting up and automating the SSL process. There's a lot of information in there and will help keep your costs down.
If this is a bit complicated or you would prefer another plan of attack, you can also use the Let's Encrypt Plugin for Ruby on Rails
Also, don't forget to turn config.force_ssl = true on in your config/environments/production.rb file. This way, Rails will redirect all HTTP traffic to HTTPS. If you would prefer the browser to do the redirects instead of the server, you can have Rails, since you're on Heroku and not a customer Nginx server, respond with a Strict-Transport-Security header; added link so you know how to configure this guy appropriately in regards to your application.
Yes, most web hosting companies require you to purchase an ssl certificate. In the case of GoDaddy.com, check out their ssl certificate page.

CloudFlare SSL + Heroku custom domain not working

It's been more than 48 hours after I update my CloudFlare DNS setting to point to my Heroku app. The custom domain works fine now without https://.
But when I try the https:// version, I get this:
This is my Heroku custom domain setting:
This is my CloudFlare DNS setting:
This is my CloudFlare SSL setting:
And lastly, this is my CloudFlare page rules setting:
I follow this CloudFlare guide and not skip any step of it.
What am I missing here?
My app (http): http://beta.futurelab.my/
My app (https): https://beta.futurelab.my/
My Heroku app: http://future-lab-production.herokuapp.com OR https://future-lab-production.herokuapp.com
I want my app only available at https://beta.futurelab.my/ and force SSL sitewide.
Please help.
Seems like you added the CNAME record to Cloudflare but not enabled it. You need to click on the cloud icon placed on the right of your Cloudflare DNS record row. It should turn to orange when it is enabled.
Hope it helps.

Heroku SSL sometimes works, sometimes doesn't work

I configured my Heroku app with SSL Endpoint from Heroku and bought the certificate from DNSimple. When I browse to my site, sometimes it shows up with the green https:// (on chrome) and other times (like when I click the home button for some reason) the https:// turns red and gets crossed out and the certificate goes back to Heroku's default one instead of the one I purchased. If then you click the lock (to see the SSL) it'll say Identity not verified. How come sometimes it works and sometimes it doesnt??
A few things I have configured
my application.rb says
config.force_ssl = false
but in my production environment I set that to true
config.force_ssl = true
Looking on Firefox in the technical details i get a
(Error code: ssl_error_bad_cert_domain)
Check your DNS configuration. I may be, for some reason, the domain is pointing to the Heroku standard app endpoint and not the Heroku SSL endpoint.
If this is happening randomically, make sure you don't have two DNS records associated to the same hostname. In fact, if you created two CNAME one pointing to the SSL endpoint and one to the standard endpoint, your request will be randomly routed to one of those hostnames.

Need to setup heroku app on my domain server

Let me explain my needs.
I have an apps on heroku.com
Now I have my own domain on bluehost.com
Need to setup these heroku app on my domain.
means when I visit on mydomain.com url, its use heroku app not redirect on just work with my mydomain.com links.
Thanks
Heroku provides detailed docs on how to setup custom domains for your apps.
In a nutshell, you'll want to setup a www subdomain, redirect your naked domain to the www subdomain (mydomain.com -> www.mydomain.com), add a CNAME to the www subdomain pointing at your app (www.mydomain.com -> myapp.heroku.com), and add the www subdomain to the Heroku app (heroku domains:add www.mydomain.com).
There are other ways to set up a custom domain on a Heroku app, which the docs go into detail about. But the above is the most common.

How to get Google to forget I had an SSL site with Heroku SSL

I have a website, http://www.scubastic.com, which I use as a playground app for Ruby on Rails development and SEO hacking. I have run into an issue that I can not seem to fix on my own and it revolves around SSL, SEO, and Heroku.
TL;DR: I had an SSL site and I disabled it but Google still remembers the SSL site. How do I get Google to switch to the Non-SSL site when the SSL site still responds but with a Certificate error??
Basically, when I first created Scubastic.com, I setup Heroku SSL as an excercise in learning it. I setup Google Web Master Tools and began playing around with the various aspects of SEO as well. After I was satisfied, I disabled Heroku SSL and stopped the monthly bill.
Now I have a very interesting problem. Google can't seem to forget the HTTPS version of my site and index is quite stale. Worse, the link people get in Google greets them with an SSL Certificate issue (the *.herokuapp.com Cert doesn't match www.scubastic.com issue) which does nothing to help my page rank. If I manually click through the SSL errors, I do arrive at the website. I find this quite odd because I removed Heroku SSL entirely and the application still responds to SSL requests....to me this is a bug in Heroku and I wish I had greater control over the situation. Alas, I turned to trying to handle this at the application layer because SSL requests still hit the Rails stack (even though these requests should not respond at all!)
So my first attempt at fixing the Google index was to setup a 301 Moved Permanently redirect if any request came into the app as SSL.
class ApplicationController < ActionController::Base
before_filter :redirect_ssl
private
#only need this until Google doesn't link to HTTPS anymore
def redirect_ssl
if request.ssl?
redirect_to "http://#{request.host_with_port}#{request.fullpath}",
:status => :moved_permanently
end
end
end
If you go to Google and search for my site name, you can see the issue I'm having:
https://www.google.com/?q=scubastic
I basically just want Google to stop linking to my SSL site and refresh with the latest content.
Thank in advance for your help.
I was able to resolve the issue with my original post and a lot of patience. It took 5 days for google to update its index but now the link google serves to my site is the non-ssl version.
The redirect is not going to help currently because browsers will barf when they get an invalid certificate when trying to establish a SSL connection to Heroku and that's before any HTTP is done. I don't think it's a bug with Heroku: You removed SSL (and by implication the certificate) and that leaves no way for Heroku to respond correctly to SSL connection requests to your domain.
Here's what you can do:
Re-add SSL on Heroku
Add the redirection you have
Wait for Google to cotton on to the change
Remove SSL
There is also the option of actively asking Google to remove the page, because it's old/not available anymore: Check the webmaster tools help for how to "Remove old or deleted information from Google".

Resources