3

I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:

$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…

But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?

From the top, here are the pieces provided to me from the related parties.

  • From DNSimple (on the cert details page) : Private Key
  • From DNSimple (on the cert details page) : Certificate
  • From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
  • From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
  • From email sent by RapidSSL / Geotrust : INTERMEDIATE CA

I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key

But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?

Simone Carletti
  • 173,507
  • 49
  • 363
  • 364
jayroh
  • 76
  • 1
  • 5

2 Answers2

4

I know this question is old, but I just hit the same problem and found the answer, at least in my case.

I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:

$ heroku certs
Endpoint                  Common Name(s)                Expires               Trusted
------------------------  ----------------------------  --------------------  -------
osaka-5565.herokussl.com  www.example.com, example.com  2014-05-18 09:32 UTC  True

Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.

Aron Griffis
  • 1,699
  • 12
  • 19
  • Hello Aron, I don't really understand your solution. I have the same problem heroku certs gives me: velociraptor-88819 www.{myapp}.com, {myapp}.com 2018-04-24 23:59 UTC True SNI . What DNS should I change and how to do that with Heroku ? – Jerome2606 Apr 25 '17 at 13:03
  • @Jerome2606 use "heroku certs" to find your SSL endpoint, then update your CNAME so it points to your SSL endpoint instead of pointing to herokuapp.com. If that doesn't make sense then you might need to ask a new stackoverflow question. I'll look for it... – Aron Griffis Apr 25 '17 at 22:53
0

Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.

If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.

bcardarella
  • 4,667
  • 4
  • 29
  • 45
  • Maybe things have changed since 2012... Apex domains are working fine for me with SSL. – Aron Griffis Feb 15 '14 at 02:49
  • @AronGriffis could you please help me in this http://stackoverflow.com/questions/37766864/godaddy-with-heroku-not-running-https-for-non-www-domain , this is related to the current question – Raghvendra Parashar Jun 13 '16 at 14:34