17

Since Heroku is read-only and does not allow sudo, what do I need to do to be able to install the LetsEncrypt.org certificate on their server for my app?

If I have already set config.force_ssl = true does that matter?

blnc
  • 4,384
  • 1
  • 28
  • 42
  • 1
    http://collectiveidea.com/blog/archives/2016/01/12/lets-encrypt-with-a-rails-app-on-heroku/ – stone Oct 22 '16 at 05:14

6 Answers6

10

I read the blog post in the first answer here, but I didn't want to pollute my code-base with ACME urls & logic. So I did something similar, but used DNS domain validation ...

With certbot, specify DNS as your preferred challenge:

sudo certbot certonly --manual --preferred-challenges dns

After a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain:

Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:

CxYdvM...5WvXR0

Once this is deployed,
Press ENTER to continue

Your domain registrar probably has its own docs for deploying a TXT record. Do that, and go back to certbot and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot will save it for you to upload to heroku.

See my own blog post for more detail.

Here are two bash functions that you can use to automate the process for you

function makessl {
    sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
    sudo heroku certs:add --type=sni /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}

function renewssl {
    sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
    sudo heroku certs:update /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}

They take an arguement for the domain name and as long as you run them from within your heroku app folder you will not have to specify an --app NAME

Example: makessl www.domain.com

Example: renewssl www.domain.com

Combine this is @Eric's answer and you're good to go:

heroku certs:auto:enable

blnc
  • 4,384
  • 1
  • 28
  • 42
groovecoder
  • 1,551
  • 1
  • 17
  • 27
  • 1
    **This is a *GREAT* answer** that removes the need of updating the `response tokens` – blnc Mar 02 '17 at 19:30
5

FYI, Heroku now offers automated certificate management w/ Let's Encrypt if you run a paid dyno. You can enable it with:

heroku certs:auto:enable

More info:

https://devcenter.heroku.com/articles/automated-certificate-management

Eric
  • 316
  • 1
  • 3
  • 10
2

Edit: This answer no longer applies.

It was written before Heroku implemented native support for LetsEncrypt. Leaving the rest for posterity, but this is no longer necessary. Use @Eric's answer now.

Installing the initial certificate

You can use certbot in manual mode to generate the challenge response, modify your site to return that response, then finally complete the certbot manual process.

See this blog post by Daniel Morrison, or the linked answer under Certificate Updates below, for more details.

Certificate updates

As @Flimm mentioned, and as is mentioned in the linked blog post, you'll have to update this every 3 months until Heroku provides better support for LetsEncrypt. You can make that process smoother (no code changes to upload) using an environment variable as described in this answer (Node/Express but the concepts are the same): https://stackoverflow.com/a/40199581/37168

Sabayon

There is a GitHub project that can automate all of this for you by setting your Heroku environment variables. It's a tiny webapp you install as another Heroku app that in turn configures your primary app. I haven't tried it yet but am planning to use it instead of updating my cert next time: https://github.com/dmathieu/sabayon

Community
  • 1
  • 1
stone
  • 8,422
  • 5
  • 54
  • 66
1

The default recommendation of Heroku is SSL using Server Name Indication (SNI), which is free. Since you already obtained your certificate and key, you can add them by:

heroku certs:add <cert>.pem <key>.key

If you need to support legacy browser clients which do not support SNI use the Herkou SSL Endpoint addon which costs $20/mo:

Add that addon by running

heroku addons:create ssl:endpoint

And then add your LetsEncrypt.org certificates:

heroku certs:add <cert>.pem <key>.key
Tom König
  • 173
  • 4
  • 2
    Unfortunately, you'll to manually redo this regularly, Let's Encrypt certificates only last 90 days. – Flimm Nov 17 '16 at 13:54
0

the best way can be to assign the new ssl domain(that starts with https) to your domain which automatically overrides the non-http domain

Apoorv
  • 1,338
  • 1
  • 17
  • 18
0

I created a certbot plugin that uses the Heroku CLI to automate authentication and installation of Let's Encrypt certificates: https://github.com/gboudreau/certbot-heroku

I only have an example that uses the php-nginx Heroku buildpack, but reading that example and finding the equivalent for other buildpacks should be easy enough. Pull Requests are welcome to help others!

Guillaume Boudreau
  • 2,676
  • 29
  • 27