Multiple SSL Certificates in One Heroku Application

Question

Is it possible to have many SSL certificates in the single Heroku Application ?

We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.

See answer here: http://stackoverflow.com/questions/13328586/multiple-ssl-certificates-on-single-heroku-app. Should work on the Heroku Cedar stack just fine. — schmielson, Aug 21 '13 at 19:37
Unfortunately this didn't resolve our requirements. We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure. — Dallas Clark, Aug 22 '13 at 01:37

score 94 · Answer 1 · edited Sep 20 '18 at 15:12

94

There is a way to have multiple SSL endpoints routing traffic to the same app.

An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.

You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:

Add your domain name to your app:

$ heroku domains:add ssl.example.com
Create a new app:

$ heroku create endpoint-for-example-com
Add the SSL endpoint add-on ($20/mo):

$ heroku addons:create ssl:endpoint --app endpoint-for-example-com

Add your certificate to your new app:

 $ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint
 Resolving trust chain... done
 Adding SSL Endpoint to endpoint-for-example-com... done
 endpoint-for-example-com now served by kagawa-1482.herokussl.example.com

Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.

The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.

Notes:

~~This solution is not documented by Heroku, so it's possible that they would remove or change this behaviour in the future.~~ Heroku have confirmed that this is safe for production use.
Be sure to create your endpoints in the same region as your primary app.
It might take a while for your DNS changes to take effect.

edited Sep 20 '18 at 15:12

bendytree

13,095
11
75
91

answered Sep 24 '13 at 13:18

Sam Oliver

1,194
8
9

1

Hey Same, can you give me a little more guidance on the setup of the DNS? If I don't have an app running on that SSL host server, how do I get newdomain.com to point to the app on domain.com while getting the SSL certificate on the newdomain-ssl app? – Brad Herman Jan 23 '14 at 21:48
Brad - on your newdomain, you need to add a CNAME record pointing to the new SSL endpoint. Heroku will then take care of routing the request to the oldapp because you've added newdomain to it in Step 1 above. – Alex Jan 27 '14 at 22:52
5

not sure why this isn't the one with the green check. This works really well, and I would guess that heroku will allow this for a while it technically does not cost them anything more because the endpoint instance is dormant and the dns takes you right to the correct app. – dsmithco May 03 '14 at 01:14
1

It took about an hour for my ssl to work after making the DNS changes and installing the cert – dsmithco May 03 '14 at 01:15
6

I just received confirmation from Heroku Support and their Routing Team that this approach should be safe for production use. – Loktar Jul 23 '14 at 22:28
If I'm serving two domains (let's say example.com and www.example.com) does this mean that I have to pay 40$/mo for SSL endpoints? (20 for each) or will it be just 20$/mo – Spundun Feb 06 '15 at 22:25
2

Spundun - for just www.example.com and example.com you're better off using a wildcard certificate and pointing it to the same heroku SSL endpoint. If you are going to use two distinct domains(example.com and example2.com) then yes, you will be paying $20 for each separate one. – Patm Mar 09 '15 at 13:38
I fail to see how this answer enables **multiple SSL certs** for multiple (wildcard) domains to be mapped to a single app with running dynos. If I have an app called "myapp" with scaled dynos that I added domains "www.foo.com" and "www.bar.com", I can add one--and only one--SSL endpoint directly to that app using my `*.foo.com` cert. This answer then says to create another app called "myappssl" (with no dynos) just for adding another SSL endpoint for my `*.bar.com` cert. DNS CNAME mappings aside, what command-line param do I use to link "myappssl" to "myapp" if "--app" is used for "myappssl"? – Erhhung Mar 24 '15 at 02:18
I think I understand now... I need to create only one *SSL* app to install each SSL cert on an SSL endpoint, and by configuring a specific Heroku app (with dynos) to handle all the domains that I want traffic routed to, Heroku will examine the URL, along with SNI, to perform the proper routing. For my one wildcard cert, `*.foo.com`, I've been adding a separate SSL endpoint to each of my "foo.com", "dev.foo.com", and "test.foo.com" apps (that's $20 x 3!), so I guess I really only need one, then! – Erhhung Mar 24 '15 at 02:41
If I add a second app, and the SSL endpoint directs HTTPS traffic from that endpoint to my primary app, what happens to non-HTTPS traffic on the second app? Say in this example I visit http://ssl.example.com - do I need a dyno to handle that request? (In my actual case, `ssl` isn't in the domain name, so it makes sense for it to receive unencrypted traffic) – Gareth Oct 07 '15 at 14:54
1

Confirmed this still works. Heroku support also confirmed that this is the only way to achieve this unless you use a SAN certificate which are quite expensive. – Max Woolf Feb 22 '16 at 10:45
2

It works fine with the paying SSL endpoint add-on. For the record it currently does not work with the free Heroku SSL (Beta). – TripleH Jun 09 '16 at 09:39
I'll take it back, it should work, some joker had set a redirect rule at the web server level that was rewriting the URL to be that of the original site – BSB Sep 29 '17 at 18:35

denixtry · Answer 2 · 2017-03-22T22:36:20.267

6

Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.

Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot

certbot certonly --standalone -d example.com -d www.example.com -d test.net

You can refer to this heroku doc for uploading custom certificates.

edited Mar 22 '17 at 22:36

answered Mar 22 '17 at 18:24

denixtry

2,928
1
21
19

1

With free wildcard certs now available from LetsEncrypt as of March 2018, is ACM support for this on Heroku on your roadmap? https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579/ – kvirani Apr 09 '18 at 01:46

score 4 · Answer 3 · edited May 23 '17 at 12:26

While not the exact same as OP's question, I was able to achieve this on Heroku with a single SAN (Subject Alternative Name) certificate for about $25/year.

I generated a CSR with multiple subject alternative names (subjectAltName) in OSX by:

Copying /System/Library/OpenSSL/openssl.cnf to the current directory, and amending the relevant sections ([req] and [v3_req]):
```
[req]
req_extensions = v3_req

[v3_req]
subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com
```

Then I used this new .cnf when generating the CSR:

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config openssl.cnf

I purchased the cert from SSLs.com. Their Comodo "PositiveSSL Multi-Domain" is $25.99/yr as of this writing and support from 3-100 domains (domains over 3 cost something like $12).
I concatenated the CA bundle and .crt that I was sent into a single .crt (in that order) and added it to Heroku. All 3 domains were added to the app and pointed to the same CNAME, and all resolve over https:// as expected.

Much cheaper than $240/yr for an additional endpoint, if this is a viable route for anyone interested.

Relevant links:

score -2 · Answer 4 · answered Nov 21 '12 at 12:33

-2

I'm dealing with this myself. Heroku suggests getting a SAN/UCC certificate, which lets you list multiple several domains. Just did it with GoDaddy and it's working fine so far.

https://devcenter.heroku.com/articles/ssl-endpoint#serving-multiple-domains

answered Nov 21 '12 at 12:33

bevanb

8,201
10
53
90

Thanks, will let you know how I go – Dallas Clark Nov 23 '12 at 10:00
4

this link isn't working any more, that section isn't present in the page – Ed Sykes Oct 13 '14 at 10:37

score -4 · Accepted Answer · answered Aug 22 '13 at 01:38

We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.

Multiple SSL Certificates in One Heroku Application

5 Answers5

Linked