(check the pt_BR version here) Updating your Heroku SSL certificate
To generate the new SSL you need to follow these steps:
@dev
Generate a .CSR (a key text file);@dev
Send the .CSR to your certificate authority (We use TheSSLstore);@dev
Verify the domain ownership through email (you can also put a file at your http server);@dev
Download the .CRT file (probably a zipball with a bunch of .CRT files);
@dev
Brew thebundle.crt
@staging
Update Heroku endponit;@production
Update Heroku endponit;- know what to do when things go bad;
Open the Terminal and run:
openssl req -new -newkey rsa:2048 -nodes -out rdstation.csr -keyout rdstation.key \
-subj "/C=BR/ST=Santa Catarina/L=Florianópolis/O=Resultados Digitais/OU=RDstation/CN=*.rdstation.com.br"
This generates a key (rdstation.key) and a CSR (rdstation.csr), the key must be share only with Heroku, and the CSR only with the Certificate Authority.
** I assume you already bought the certificate **
- Go to https://www.thesslstore.com/client/orders.aspx;
- The "Pending" order has a link right under the ID that takes you to (in our case) Comodo's wizard;
- Follow the wizard (to the dungeon!), at the "Domain Control Validation" section, choose to validate via email;
After sending the CSR, you will receive an email with a link and a validation code. Click the link and follow the instructions, we're done!
- Go to https://www.thesslstore.com/client/orders.aspx;
- Open the "Order" we're working on;
- scrolldown;
- click "Download Certificate";
filetype: .zip
After unziping, you'll have a folder with a bunch of certificates belonging to your Certificate Authority's chain (including yours!). From "Comodo", the folder looks like this:
- AddTrustExternalCARoot.crt
- ComodoUTNSGCCA.crt
- EssentialSSLCA_2.crt
- STAR_rdstation_com_br.crt
- UTNAddTrustSGCCA.crt
Now we need to mix the certificate files in the --> RIGHT ORDER <-- (you can see the chain from your old certificate right at the browser remember?), get into the folder and run:
cat STAR_rdstation_com_br.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt > bundle.crt
Move your bundle.crt
to the same folder as the key.
proTip™ #1
It is very important to test these kinds of thing @staging
before @production
, it is very easy to mess up. If you go wrong brewing bundle.crt
Heroku will reject your update.
proTip™ #2
You must not have the heroku
GEM installed and linked at your Terminal, use Heroku Toolbelt insted;
proTip™ #3
If you don't even know why should you have such a thing (heroku
gem):
$ gem uninstall heroku
Select gem to uninstall:
1. heroku-2.28.0
2. heroku-2.28.12
3. All versions
> 3
Successfully uninstalled heroku-2.28.0
Remove executables:
heroku
in addition to the gem? [Yn] y
Removing heroku
Successfully uninstalled heroku-2.28.12
proTip™ #4
If you wanna be sure you have the right thing:
$ heroku --version
heroku-toolbelt/2.39.4 (x86_64-darwin10.8.0) ruby/1.9.3
proTip™ #5
If you wanna be sure you have the wrong thing:
$ heroku --version
heroku-gem/2.28.12 (x86_64-darwin12.3.0) ruby/2.0.0
proTip™ #6
Browsers cache certificate files, but a simple ⌘+R should suffice.
For starters, check your actual certificate info from Heroku:
$ heroku certs:info --app rdstation-staging-cedar
Go into the folder containing both bundle.crt
and rdstation.key
and run:
$ heroku certs:update bundle.crt rdstation.key --app rdstation-staging-cedar
Resolving trust chain... done
Updating SSL Endpoint tokyo-1537.herokussl.com for rdstation-cedar... done
Updated certificate details:
Common Name(s): *.rdstation.com.br, rdstation.com.br
Expires At: 2014-07-26 23:59 UTC
Issuer: /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rdstation.com.br
Starts At: 2013-07-23 00:00 UTC
Subject: /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rdstation.com.br
SSL certificate is verified by a root authority.
If you didn't read proTip™ #2
already, thigs will go bad...
$ heroku certs:rollback --app rdstation-staging-cedar
remember to replace --app
with the environment which STOPPED working
Updating SSL Endpoint tokyo-1723.herokussl.com for rdstation-cedar... failed
! Bad response from SSL Endpoint provider. Please try again later.
Read proTip™ #2
, share your experience with somebody around and repeat 2 time out loud: "I didn't read proTip™ #2
".
If you don't want to go through all these steps, you might consider using: https://addons.heroku.com/expeditedssl - which will handle all of this for you.