0

Heroku gives simple instructions for updating your certificates for SSL:

$ heroku certs:update server.crt server.key

However, there is no indication that any verification is done before deploying. As this is production, I want to be sure that the two files I'm giving them will not cause any security snafus.

I have my foo_com.crt (which was signed by DigiCert), server.key, and DigitCertCA.crt.

I've found that I can use security verify-cert -c certificate.pem to verify my certificate (on OS X). My certificate doesn't verify though:

$ security verify-cert -c foo_com.crt
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED

Which leads me to believe that my intermediary may not be trusted but:

$ security verify-cert -c DigiCertCA.crt
...certificate verification successful.

Specifying a purpose of SSL succeeds too

$ security verify-cert -p ssl -c foo_com.crt
...certificate verification successful.

I tried on a Linux box as well with similar mixed results.

$ openssl verify foo_com.crt                            
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed

$ openssl verify -CAfile DigiCertCA.crt foo_com.crt
foo_com.crt: OK

$ openssl verify -purpose sslserver  -CApath /etc/ssl/certs foo_com.crt
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed

How can I be sure that when I update my certificates in Heroku, that everything will work smoothly?

Related: Renewing SSL certificate on Heroku

jww
  • 97,681
  • 90
  • 411
  • 885
0xtobit
  • 1,091
  • 12
  • 14
  • Is there any reason you aren't using [Automated Certificate Management](https://devcenter.heroku.com/articles/automated-certificate-management)? It's much simpler than what you're doing. – ChrisGPT was on strike Oct 20 '17 at 20:57
  • Not a good reason. Suffice it to say a manager in our chain would prefer we roll our own. – 0xtobit Oct 23 '17 at 15:57

1 Answers1

0

A suggestion from a colleague to run nginx led me to a confident way to know that everything would deploy smoothly.

I configured nginx with

server {
     listen 443 http2 ssl;
     listen [::]:443 http2 ssl;

     server_name server_IP_address;

     ssl_certificate /Users/traff/cert/gd.crt;
     ssl_certificate_key /Users/traff/cert/server.key;

     server_name  localhost;
     ...
}

Once I had my nginx server set up I ran openssl s_client -connect localhost:443 -CApath /etc/ssl/certs. Then, after setting up foo.com in my hosts to point to my nginx server. I used curl https://foo.com.

Using the concatenation of foo_com.crt and DigiCertCA.crt (in that order) and server.key, upload was successful.

Furthermore, though Heroku's documentation does not state it, the update step does verify that SSL will serve properly

$ heroku certs:update foo_com_DigiCertCA_cat.crt server.key -a my-app
Resolving trust chain... done
 _    Potentially Destructive Action
 _    This command will change the certificate of endpoint ____
 _    (_______.herokussl.com) from _ my-app.
 _    To proceed, type my-app or re-run this command with
 _    --confirm my-app

> my-app
Updating SSL certificate _____ (____.herokussl.com) for _ my-app... done
Updated certificate details:
Common Name(s): foo.com
Expires At:     DateTime
Issuer:         /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Starts At:      DigiCert
Subject:        blah blah blah
SSL certificate is verified by a root authority.
0xtobit
  • 1,091
  • 12
  • 14