Skip to content

Instantly share code, notes, and snippets.

@lucasmartins

lucasmartins/updating_heroku_ssl.md

Last active December 20, 2015 03:59
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save lucasmartins/6067871 to your computer and use it in GitHub Desktop.
Save lucasmartins/6067871 to your computer and use it in GitHub Desktop.
Download ZIP
Updating your Heroku SSL certificate
Raw
updating_heroku_ssl.md

(check the pt_BR version here) Updating your Heroku SSL certificate

To generate the new SSL you need to follow these steps:

  • @dev Generate a .CSR (a key text file);
  • @dev Send the .CSR to your certificate authority (We use TheSSLstore);
    • @dev Verify the domain ownership through email (you can also put a file at your http server);
    • @dev Download the .CRT file (probably a zipball with a bunch of .CRT files);
  • @dev Brew the bundle.crt
  • @staging Update Heroku endponit;
  • @production Update Heroku endponit;
  • know what to do when things go bad;

Generating the CSR

Open the Terminal and run:

openssl req -new -newkey rsa:2048 -nodes -out rdstation.csr -keyout rdstation.key \
-subj "/C=BR/ST=Santa Catarina/L=Florianópolis/O=Resultados Digitais/OU=RDstation/CN=*.rdstation.com.br"

This generates a key (rdstation.key) and a CSR (rdstation.csr), the key must be share only with Heroku, and the CSR only with the Certificate Authority.

Sending the CSR to the Certificate Authority

** I assume you already bought the certificate **

  • Go to https://www.thesslstore.com/client/orders.aspx;
  • The "Pending" order has a link right under the ID that takes you to (in our case) Comodo's wizard;
  • Follow the wizard (to the dungeon!), at the "Domain Control Validation" section, choose to validate via email;

Verifiyng domain ownership

After sending the CSR, you will receive an email with a link and a validation code. Click the link and follow the instructions, we're done!

Downloading the CRT

filetype: .zip

Brewing the bundle.crt

After unziping, you'll have a folder with a bunch of certificates belonging to your Certificate Authority's chain (including yours!). From "Comodo", the folder looks like this:

  • AddTrustExternalCARoot.crt
  • ComodoUTNSGCCA.crt
  • EssentialSSLCA_2.crt
  • STAR_rdstation_com_br.crt
  • UTNAddTrustSGCCA.crt

Now we need to mix the certificate files in the --> RIGHT ORDER <-- (you can see the chain from your old certificate right at the browser remember?), get into the folder and run:

cat STAR_rdstation_com_br.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt > bundle.crt

Move your bundle.crt to the same folder as the key.

Updating Heroku

ProTips™

proTip™ #1 It is very important to test these kinds of thing @staging before @production, it is very easy to mess up. If you go wrong brewing bundle.crt Heroku will reject your update.

proTip™ #2 You must not have the heroku GEM installed and linked at your Terminal, use Heroku Toolbelt insted;

proTip™ #3 If you don't even know why should you have such a thing (heroku gem):

$ gem uninstall heroku
Select gem to uninstall:
 1. heroku-2.28.0
 2. heroku-2.28.12
 3. All versions
> 3
Successfully uninstalled heroku-2.28.0
Remove executables:
  heroku

in addition to the gem? [Yn]  y
Removing heroku
Successfully uninstalled heroku-2.28.12

proTip™ #4 If you wanna be sure you have the right thing:

$ heroku --version
heroku-toolbelt/2.39.4 (x86_64-darwin10.8.0) ruby/1.9.3

proTip™ #5 If you wanna be sure you have the wrong thing:

$ heroku --version
heroku-gem/2.28.12 (x86_64-darwin12.3.0) ruby/2.0.0

proTip™ #6 Browsers cache certificate files, but a simple ⌘+R should suffice.

Let's work

For starters, check your actual certificate info from Heroku:

$ heroku certs:info --app rdstation-staging-cedar

Go into the folder containing both bundle.crt and rdstation.key and run:

$ heroku certs:update bundle.crt rdstation.key --app rdstation-staging-cedar
Resolving trust chain... done
Updating SSL Endpoint tokyo-1537.herokussl.com for rdstation-cedar... done
Updated certificate details:
Common Name(s): *.rdstation.com.br, rdstation.com.br
Expires At:     2014-07-26 23:59 UTC
Issuer:         /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rdstation.com.br
Starts At:      2013-07-23 00:00 UTC
Subject:        /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rdstation.com.br
SSL certificate is verified by a root authority.

If you didn't read proTip™ #2 already, thigs will go bad...

If things go bad

$ heroku certs:rollback --app rdstation-staging-cedar

remember to replace --app with the environment which STOPPED working

Updating SSL Endpoint tokyo-1723.herokussl.com for rdstation-cedar... failed
 !    Bad response from SSL Endpoint provider. Please try again later.

Read proTip™ #2, share your experience with somebody around and repeat 2 time out loud: "I didn't read proTip™ #2".

@mbuckbee
Copy link

mbuckbee commented Jan 4, 2015

If you don't want to go through all these steps, you might consider using: https://addons.heroku.com/expeditedssl - which will handle all of this for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment