Installing a Free SSL Certificate on Heroku

Update - 3/21

Heroku now does this automagically.

Prerequisites

• Site on Heroku
• Domain properly configured

Installing Certbot

Certbot is a command line application for automatically generating SSL certificates from Let's Encrypt. If you weren't using Heroku you would run this on your server to generate the certificates. Since we don't operate the system on Heroku, we'll generate the certificates locally and then upload them to Heroku.

If you have Homebrew on OSX you can simply run:

brew install certbot

If not, you can get the software at the Certbot homepage.

Generating an SSL Certificate

With Certbot installed we can now go ahead and generate our free certificate. From the command line you'll want to run:

sudo certbot certonly --manual

It will then ask for you to enter in your domain name. If you're using a domain prefix like "www", make sure you include that as well. For example:

www.example.com

From there it will ask if its OK that your IP is logged and then give instructions on how to verify you own the domain. Do not continue until you read and setup the verification.

It will provide a path and ask you to render text at that path.

Make sure your web server displays the following content at
http://www.newbeginnings.site/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx before continuing:

zzzzzzzzzzzzzzzzzz-xxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

The first part is the path. This is where Certbot is going to check for the key listed below. In other words we have to make sure that when Certbot visits the path, the below key is displayed as text.

For example, if you're using Rails, you can create the file in your ./public directory or create a controller and route to render the text.

In ./config/routes.rb you can add:

get '/.well-known/acme-challenge/:id' => 'index#letsencrypt'

And then create and add the following to the Index controller:

class IndexController < ApplicationController
  def letsencrypt
    render text: "zzzzzzzzzzzzzzzzzz-xxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
  end
end

Make sure you then push the changes to Heroku. You can test that this works by visiting the path listed above in your web browser:

http://www.newbeginnings.site/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You should see the code. Once that's working, go ahead an continue with the Certbot install.

Uploading Your Certificate to Heroku

If Certbot verified your domain correctly, you should see the following message:

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.com/fullchain.pem. Your
   cert will expire on 2017-06-08. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

This will give us the location of your certificate. You can verify this by running:

sudo ls /etc/letsencrypt/live/www.example.com/

Note: We have to use sudo here because certbot creates protected folders. We cannot access the folder with out admin priviledges therefore we use sudo.

You should see something like:

README
cert.pem
chain.pem
fullchain.pem
privkey.pem

If that looks good, go ahead and add the certificate to Heroku:

sudo heroku certs:add /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem

Once again, we're using sudo to access the protected files. If all went well, you should now be able to see your new certificate in action, by going to:

https://www.example.com

in your browser!