Skip to content

Instantly share code, notes, and snippets.

@Jlevyd15

Jlevyd15/Heroku SSL with Certbot.md

Last active July 11, 2023 18:03
Show Gist options
  • Save Jlevyd15/be02092b650783318d56f0c29e0d52f6 to your computer and use it in GitHub Desktop.
Save Jlevyd15/be02092b650783318d56f0c29e0d52f6 to your computer and use it in GitHub Desktop.
Download ZIP
Creating a SSL certificate locally using Certbot on Mac OS and deploying to an existing Heroku App
Raw
Heroku SSL with Certbot.md

Creating a SSL certificate locally using Certbot on Mac OS and deploying to an existing Heroku App

Caveats

  • You must have a heroku app deployed on the hobby tier. This is NOT the free tier and costs ~7/month
  • i'm assuming you have homebrew installed. It will be need to install the Certbot client
  • i'm also assuming you have the heroku CLI tools installed

first up, run this to install the certbot client

brew install certbot

start the certbot script in manual mode

sudo certbot certonly --manual

Enter the url(s) you want to create certificates for

--------- STOP! READ THIS!----------

*You need to complete a route validation (explained below) before continuing or else the script will fail and you'll need to start over.

The next step is to create a route for verification. You need to verify you're the owner of the server to get a certificate. The Certbot script will provide you a unique id that you will need to send in response to a request on the route '/.well-known/acme-challenge/:id' where :id is a random string Certbot will send.

you can see in the below route i'm responding with whatever is sent in the url request (:id) combind with my unique id provided by Certbot.

I'm using nodeJS so I created a route like this

app.get('/.well-known/acme-challenge/:id', function(req, res, next) {
    res.send(req.params.id+'.'+YOUR_PROVIDED_CERTBOT_ID);
});

After you created the route succesfully test and deploy to Heroku.

Once you've deployed to Heroku and the build is completed succesfully come back to the terminal window and press enter to contiue the Certbot script. You should see a success message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOUR_URL_HERE.COM/fullchain.pem. Your cert will
   expire on 2017-05-11. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Now you have the certs, SWEET!

Next, you'll need to deploy them to Heroku.

Heroku has recently changed their policy on SSL support, below is a quote from their site.

"Heroku SSL is included for free on any app that uses paid dynos: Hobby, Standard-1X, Standard-2X, Performance-M and Performance-L. This service uses Server Name Indication (SNI), an extension of the TLS protocol, which allows for Heroku to terminate SSL on its router."

heroku certs:add --app <YOUR_HEROKU_APP_NAME_HERE> /etc/letsencrypt/live/inchworm.io/fullchain.pem /etc/letsencrypt/live/inchworm.io/privkey.pem

After you enter this command using the heroku toolbelt, heroku will prompt you to change your dns records with the new nameservers they provide.

Once you change those records you're done!

If you're having any problems check out the heroku docs here.

https://devcenter.heroku.com/articles/ssl

@BuffMcBigHuge
Copy link

This was a great help! Thanks for posting.

To add, if you would like wildcard certs (*.example.com), you can change the ACME endpoint by adding --server https://acme-v02.api.letsencrypt.org/directory to your certbot command.

@uxdxdev
Copy link

uxdxdev commented Jun 23, 2018

Just a heads up for anyone that lands here trying to add an SSL cert to their Heroku app using the free dyno tier, it does not work. Heroku have restricted uploading your SSL cert to only paid dynos. Very disappointing.

You need to be running on either Hobby or Professional dynos to be able to use SNI SSL.

@cyruslk
Copy link

cyruslk commented Nov 22, 2019

Hey - quick question for you: where do you add the route?
In the server side of your app?
Thanks

@redtripleAAA
Copy link

Can I use this to create wildcard certs?

@dantejauregui
Copy link

Just a heads up for anyone that lands here trying to add an SSL cert to their Heroku app using the free dyno tier, it does not work. Heroku have restricted uploading your SSL cert to only paid dynos. Very disappointing.

You need to be running on either Hobby or Professional dynos to be able to use SNI SSL.

Hello! and did you find an alternative to have the free SSL Certificate in FREE Heroku Dynos?? please :)

@ahmed-adly-khalil
Copy link

a quick update here, you don't need to create the api part, lets encrypt now let you add a txt record to your domain and check it

@gigaga
Copy link

gigaga commented Jul 5, 2022

@ahmed-adly-khalil So, there is an alternative? Can you explain how upload our certificate files without paying hobby dyno ?

@ahmed-adly-khalil
Copy link

@gigaga yes, no need for an api route, it will prompt you to update the txt record then it will revalidate

@ahmed-adly-khalil
Copy link

just use this command instead sudo certbot certonly --manual --preferred-challenges dns

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment