54

I would like to set some SSL certificates for one app I have on heroku (a simple application based on nodeJS + Vue).

I know if I upgrade to the Hobby Plan (7$ for month) I can have it automatically.

But for now it would too much money for a test application, so I am wondering if I can achieve some similar goal also with a Free Plan.

so: Is it possible to set SSL certificate for an app on Heroku JUST with the Free Plan? Maybe in a complicated/tricky way via CLI?

From the Heroku pages and documentation it looks not possible. But I have to ask :)

stellavalerio
  • 590
  • 1
  • 6
  • 6
  • 2
    This question will become even more important since "Starting January 11, 2021, automatically generated certificates (using Heroku ACM) used for TLS/HTTPS termination on Heroku will become incompatible with most software running on Android versions prior to v.7.1.1 (around 34% of currently active Android devices)." – J0ANMM Nov 23 '20 at 12:26
  • @stellavalerio Please accept my answer. It is highest voted and you got gold badge because of the same. After getting my answer accept, stackoverflow will recommend it to more people. – Yashdeep Raj Jan 12 '22 at 06:41

10 Answers10

55

Here I have a better approach to deal with this. As Heroku Doesn't provide SSL for Free Plan. But You can use Cloudflare which gives free SSL. You can Use Cloudflare As Bridge For SSL.

Requirement:

  1. Cloudflare Account
  2. Your Application should not have inbuild SSL redirection (like redirect-ssl) Otherwise, This will result in Too Many Redirect Error

Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.

Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here Here You will get Some SSL Security Issue.

Step 3: Now Change Your SSL/TLS encryption mode to Flexible (Not Full). *Important enter image description here

Now Understand the Working:-

Client(Browser) Make Request to https://example.com First, the request reaches the Cloudflare with SSL. (User see encrypted connection to the server.)

Then Cloudflare makes request to Heroku Server(Origin) with Non-SSL (Non-Https and Unencrypted).

Then Heroku Server (Origin) returns the Response with Non-SSL to Cloudflare.

At the end Cloudflare forward the request to Client (Browser.)

You might think, What is the benefit of just encrypting half system. but "Something is better then nothing".

You are here because you don't want to spent money on heroku paid dynos.

This method is better for those who is using http. Atleast it protects the most vulnerable side (client side). Where most of the attack happen. There is very less chances of attack between cloudflare and your server. Because of network reach.

Having less vulnerable probability is better then 100% vulnerable system

I have tested this method and working on https://www.auedbaki.com

Yashdeep Raj
  • 1,006
  • 10
  • 22
  • 1
    I believe you need to be using Cloudflare's DNS for this to work, but it's quite easy to use, and they support CNAME flattening so you can point your root domain to the Heroku site with a CNAME. This worked great for me, thanks! – Keith Bennett Apr 28 '20 at 02:37
  • 1
    @Ungapps Website is working. It may possible that, Website goes on sleep when no traffic. So it takes times to response. – Yashdeep Raj May 01 '20 at 08:51
  • 1
    For better result, set "Always Use HTTPS" in Edge Certificates tab. You can SSL with subdomain too. – Ungapps May 01 '20 at 09:31
  • 9
    Why would you want to encrypt only a half of request's route to the server? So that your users see a green lock in their browser and _think_ that your site is secure? Not cool... – michcio1234 May 16 '20 at 16:24
  • 6
    @michio1234 It is better then having unsecure warning in the browser. We know this is not good practice at all. But this the only way to get free ssl without spending a single penny. – Yashdeep Raj May 17 '20 at 17:08
  • This requires reducing lowering the security on the whole domain (disabling HSTS), and will result in traffic in plain text. Don't do this. – WhyNotHugo Jun 02 '20 at 19:19
  • I tried this, but then Namecheap disabled all my email forwarding and I even though I could Sign Up on my site, I was no longer able to sign in. – ThinQtv Sep 21 '20 at 23:52
  • @ThinQtv It's not NameCheap who disabled your email forwarding. I think you forgot/miss some mx records to copy on CloudFlare. Because after using CloudFlare NameServer no DNS Setting will work from NameCheap. You should move all settings to CloudFlare. – Yashdeep Raj Sep 23 '20 at 04:03
  • @auedbaki Yeah, it was NameCheap that disabled email forwarding. According to namecheap, "Our free email forwarding option is available on our default BasicDNS (or PremiumDNS, FreeDNS) nameservers. If nameservers are switched to Cloudflare's one, the option will be inactive for the domain." – ThinQtv Feb 15 '21 at 23:11
  • 1
    Getting err ssl version or cipher mismatch – Coder Gautam YT Nov 23 '21 at 18:17
  • @ThinQtv I think you're still missing the point. You can use **either** NameCheap DNS **or** CloudFlare DNS. Since you switched from Namecheap to CloudFlare, it's no surprise that settings from Namecheap aren't working. – michcio1234 Jan 10 '22 at 07:39
30

Late response but I'm adding here I just spent an hour trying to setup SSL with Heroku - resulting in a dead end.

The bottom line is that Heroku mentions they offer free SSL certificates but that's really not the case unless you have a Hobby ($7/mo) or Pro plan.

This link has more details and feedback from other users facing the same issue.

The answer above about LetsEncrypt is incorrect. Although you can get a free certificate, it cannot be included in a free Heroku app.

Other users have pointed to this article with a step-by-step guide but the guide is outdated and the 'Labs' option mentioned does not work with Heroku anymore.

see comments below for some alternative suggestions

In my specific case, I was able to get a free SSL on zeit.

alphazeta
  • 493
  • 6
  • 10
  • 2
    Thanks alphazeta for the answer. I've also arrived to the same conclusion in these months: not possible. Sad but true. But I re-arranged my project as static page with some services and now I don't need Heroku anymore. Lesson learned :) – stellavalerio Sep 06 '19 at 07:21
  • What service you ended up using? Let me know so I can include in the answer above as a suggestion for future reference. – alphazeta Sep 06 '19 at 09:17
  • 2
    Well I changed completely my stack. my main app is now a static website, hosted on Zeit now (https://zeit.co/). Here I can have free SSL and a custom domain. So SSL issue solved. For the server features I need it (a contact form), now my static website use another node app, hosted on Heroku, via ajax. – stellavalerio Sep 10 '19 at 16:52
  • 3
    Apparently [Vercel.com](https://vercel.com/) acquired Zeit. I was not able to find any SSL service in Vercel.com – J0ANMM Nov 23 '20 at 11:50
21

Here's how you get FULL SSL using Cloudflare for FREE.

enter image description here

Step 1: Point Your domain to CloudFlare. You basically open an account an enter your domain when prompted. You may be given instructions to change your domain name servers.

Step 2: Add Cname Record of Heroku Server in DNS of Cloudflare. Instructions are here. Here You will get Some SSL Security Issue.

Step 3: Now Change Your SSL/TLS encryption mode to Full

Step 4: In your DNS settings, you’ll want to create a CNAME: yourdomain.com -> yourapp.herokuapp.com.

(I learned about the general approach here https://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ Although it's old, it still works.

Arash
  • 403
  • 3
  • 10
  • how to adjust www redirect? – cikatomo Aug 14 '20 at 22:11
  • 1
    Sadly (NEW): "When an app is migrated to the new infrastructure, its default appname.herokuapp.com, DNS records, and any haiku.herokudns.com custom domain records are modified to point to the IP addresses of the new routing infrastructure. For a period of 24-48 hours, the app is accessible via both the new and old routing infrastructure. When the migration completes, the app will no longer be accessible via the old routing infrastructure and all traffic must flow via the new infrastructure. Requests for an app sent to the old infrastructure will result in error code: H31 Misdirected Request." – Pat May 29 '21 at 08:02
  • 1
    This makes much more sense than the top-voted answer. My only concern is - is it safe to let CloudFlare see the unencrypted user's data? – michcio1234 Jan 10 '22 at 07:35
8

I had this issue also. I wanted to set up a custom domain for my free account on Heroku for my React App. I searched so much info on the web and read loads of documents from Heroku support.

The conclusion is that on the Heroku free account, a custom domain name with SSL certificate cannot be setup. If you need SSL with your custom domain name, you need to upgrade to any of their paid hosting accounts.

Heroku does provide SSL certificate for their free account as long as it is not using a custom domain name. So the standard free account URL will be something like this "https://your-app-name.herokuapp.com"

NB. Google Firebase allows free hosting and Custom Domain name with SSL, for up to a certain amount of traffic before charging. For testing an app, this will be a perfect alternative. I am using it. And it was easy to set up my custom domain.

I hope this saves you hours of searching.

Zen-life
  • 121
  • 1
  • 3
6

Since you don't make explicit if you need to apply the SSL certificate to a custom domain, I think it's necessary to say that according to the Heroku documentation:

Apps using free dynos can use the *.herokuapp.com certificate if they need SSL.

https://devcenter.heroku.com/articles/ssl

Maybe future readers could find this answer helpful...

jmm
  • 147
  • 2
  • 15
4

If you are using

1]free heroku,

You can't use 1)free ssl or 2)paid ssl

2]paid heroku

1)you get free ssl 2)you can use paid ssl also

Solution 1]get paid heroku 2]move to netlify or other alternatives

Vishal Singh
  • 725
  • 7
  • 16
2

Free SSL in Heroku doesn't exist, or let me just say that it's impossible to achieve it on a free plan.

For you to be able to include any form of third party SSL in Heroku, be it paid SSL or Free Third Party SSL, you have to change to Hobby or Professional dynos for the SSL to work.

An easier option, if you're using Heroku, there's no need to buy a third party SSL. Just change to Hobby or Professional dynos.

For you to be able to change the dyno type, select your app, go to sources section on the upper part, just bellow it, click on the Change Dyno Type button.

Hobby Dyno will cost you $7 a month while Professional Dyno will cost you $25 - $500 a month.

After all that, remember to go to your Rails App: Go to; .../config/environments/production.rb

--> Uncomment the following line:

# config.force_ssl = true

---> To:

config.force_ssl = true

After that, you'll be able to achieve your SSL but not FREE.

Elly Ambet
  • 478
  • 4
  • 13
2

If you don't mind hosting your frontend on another service you can host it in Vercel, with free SSL, while you keep your backend at Heroku. Quite straightforward!

https://vercel.com/

Michelangelo Machado
  • 139
  • 2
  • 4
0

One way around this could be setting up a proxy server on a host you can set SSL certificates on and then simply forward requests to the free herokudns domain using encryption as well.

You'd have to have a separate server with something like nginx or httpd running.. I am not sure of a free service to host the proxy, but usually when you sign up for a domain you may get a hosting addon with it, or perhaps people already have acess to an encrypted host and just want to also use Heroku for their node applications.

Setting up a httpd proxy would look somewhat like this (from https://serverfault.com/questions/84821/apache-proxypass-with-ssl):

<VirtualHost 1.2.3.4:80>
ServerName customdomain.com
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyPass / https://heroku-app-name.herokuapp.com
ProxyPassReverse / https://heroku-app-name.herokuapp.com
</VirtualHost>

This way you have full encryption all the way :)

pimguilherme
  • 1,050
  • 11
  • 15
-1

This is a question rather than an answer, actually. Has anyone tried ZeroSSL? It offers free SSL, and here is an installation guide for Heroku. However, SSL Endpoint is apparently deprecated and not recommended by Heroku, and it appears to be paid addon of Heroku.

$ cat example.crt ca_bundle.crt  certificate.crt

I could not make sense of this line in the help. Perhaps, > is missing? Where does example.crt come from, when I only have the following files?

  • certificate.crt
  • ca_bundle.crt
  • private.key

Or can Heroku SSL accept SSL certificates issued from ZeroSSL?

Kouichi C. Nakamura
  • 850
  • 3
  • 10
  • 25