Installing a Free SSL Certificate on Heroku
Update - 3/21
Heroku now does this automagically.
Prerequisites
- Site on Heroku
- Domain properly configured
Installing Certbot
Certbot is a command line application for automatically generating SSL certificates from Let's Encrypt. If you weren't using Heroku you would run this on your server to generate the certificates. Since we don't operate the system on Heroku, we'll generate the certificates locally and then upload them to Heroku.
If you have Homebrew on OSX you can simply run:
brew install certbot
If not, you can get the software at the Certbot homepage.
Generating an SSL Certificate
With Certbot installed we can now go ahead and generate our free certificate. From the command line you'll want to run:
sudo certbot certonly --manual
It will then ask for you to enter in your domain name. If you're using a domain prefix like "www", make sure you include that as well. For example:
www.example.com
From there it will ask if its OK that your IP is logged and then give instructions on how to verify you own the domain. Do not continue until you read and setup the verification.
It will provide a path and ask you to render text at that path.
Make sure your web server displays the following content at
http://www.newbeginnings.site/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx before continuing:
zzzzzzzzzzzzzzzzzz-xxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
The first part is the path. This is where Certbot is going to check for the key listed below. In other words we have to make sure that when Certbot visits the path, the below key is displayed as text.
For example, if you're using Rails, you can create the file in your ./public
directory or create a controller and route to render the text.
In ./config/routes.rb
you can add:
get '/.well-known/acme-challenge/:id' => 'index#letsencrypt'
And then create and add the following to the Index
controller:
class IndexController < ApplicationController
def letsencrypt
render text: "zzzzzzzzzzzzzzzzzz-xxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
end
end
Make sure you then push the changes to Heroku. You can test that this works by visiting the path listed above in your web browser:
http://www.newbeginnings.site/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You should see the code. Once that's working, go ahead an continue with the Certbot install.
Uploading Your Certificate to Heroku
If Certbot verified your domain correctly, you should see the following message:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.example.com/fullchain.pem. Your
cert will expire on 2017-06-08. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
This will give us the location of your certificate. You can verify this by running:
sudo ls /etc/letsencrypt/live/www.example.com/
Note: We have to use sudo here because certbot creates protected folders. We cannot access the folder with out admin priviledges therefore we use sudo
.
You should see something like:
README
cert.pem
chain.pem
fullchain.pem
privkey.pem
If that looks good, go ahead and add the certificate to Heroku:
sudo heroku certs:add /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem
Once again, we're using sudo to access the protected files. If all went well, you should now be able to see your new certificate in action, by going to:
https://www.example.com
in your browser!