HOW-TO: Heroku SSL Management using CLI, ACM, or Manual Certificates
Contents
Useful Heroku Commands
Enabling Automated Certificate Management (ACM) in Heroku
Enabling ACM, Verifying Certs, and Verifying Domains
heroku certs:auto:enable --app readyrosie-server-production
heroku certs:remove --name mie-43657 --app readyrosie-server-production
heroku certs --app readyrosie-server-production
heroku domains --app readyrosie-server-production
Verifying Certificates as used in Heroku
## Using Heroku
heroku domains -a readyrosie-server-production
heroku certs:info -a readyrosie-server-production
## Using cURL
curl -vI https://app.readyrosie.com
## Using OpenSSL or Dig
openssl s_client -connect app.readyrosie.com:443
dig +short cname app.readyrosie.com
Other Useful Heroku Commands (Teams, Apps, Domains, Certificates)
## Display Heroku teams
heroku teams
farfaria admin
ready-rosie admin
## Display Heroku Apps for the specified Team
heroku apps -t ready-rosie
=== Apps in team ready-rosie
data-readyrosie-com
farfaria-testing
farfaria-ts
myts-8840-v2-rr-co
readyrosie-server-production
readyrosie-server-staging
readyrosie-server-testing
rubot-readyrosie-com
textchimp-rr-co
ts-hackathon-2020
## Display Heroku Domains for the specified App
heroku domains -a readyrosie-server-production
=== readyrosie-server-production Heroku Domain
readyrosie-server-production.herokuapp.com
=== readyrosie-server-production Custom Domains
Domain Name DNS Record Type DNS Target SNI Endpoint
app.readyrosie.com CNAME app.readyrosie.com.herokudns.com aptosaurus-33621
## Display Heroku Certificates for the specified Domain
heroku certs:info -a readyrosie-server-production
Fetching SSL certificate aptosaurus-33621 info for ⬢ readyrosie-server-production... done
Certificate details:
Common Name(s): app.readyrosie.com
Expires At: 2022-03-06 16:12 UTC
Issuer: /C=US/O=Let's Encrypt/CN=R3
Starts At: 2021-12-06 16:12 UTC
Subject: /CN=app.readyrosie.com
SSL certificate is verified by a root authority.
Enabling Manual Certificate Management in Heroku
Installing LetsEncrypt Certbot locally
In MacOS using brew
brew install certbot</code></pre>In Linux:
sudo apt-add-repository ppa:certbot/certbotsudo apt install certbot
Creating a Manual Certificate using CertBot by LetsEncrypt
## Creating a Manual Certification
certbot certonly --manual --manual-auth-hook /tmp/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d app.readyrosie.com
Uploading a Manual Certificate into Heroku SSL
- Reference: Heroku SSL | Heroku Dev Center
- From https://dashboard.heroku.com/apps/<app-name></app-name>/settings , click ADD CERTIFICATE from the SSL CERTICATE section.
- Use of Manual Certificates require that the SSL Manager be MANUAL rather than ACM (AUTOMATED CERTIFICATE MANAGEMENT). For use of ACM, see instructions on this page above.
- DISPLAY NAME should be the domain (ie app.readyrosie.com)
- Copy/Paste (or upload) the PUBLIC key.
- Copy/Paste (or upload) the PRIVATE key.
- Click FINISH to submit the SSL certificate which Heroku SSL will automatically verify and apply to the currently selected <app-name> displayed in the Heroku Dashboard.</app-name>
Useful Heroku Scripts
Example of displaying ALL Heroku certs by App/Team
./display-heroku-certs.bash ready-rosie
./display-heroku-certs.bash ready-rosie
Name Common Name(s) Expires Trusted Type
────────────────── ─────────────────── ──────────────────── ─────── ────
ankylosaurus-63957 data.readyrosie.com 2022-01-27 02:44 UTC True ACM
Name Common Name(s) Expires Trusted Type
──────────────────── ───────────────────────────────────────────── ──────────────────── ─────── ────
dromiceiomimus-34783 tsdev-testing-farfaria.teachingstrategies.com 2022-02-05 23:41 UTC True ACM
Name Common Name(s) Expires Trusted Type
────────────────── ──────────────────── ──────────────────── ─────── ────
ankylosaurus-52133 stories.farfaria.com 2022-01-23 12:51 UTC True ACM
⬢ myts-8840-v2-rr-co has no SSL certificates.
Use heroku certs:add CRT KEY to add one.
Name Display Name Common Name(s) Expires Trusted Type Domains
──────────────── ───────────────── ────────────────── ──────────────────── ─────── ──── ───────
aptosaurus-33621 app.readyrose.com app.readyrosie.com 2022-03-06 16:12 UTC True SNI 1
Name Common Name(s) Expires Trusted Type
─────────────────── ────────────────────────── ──────────────────── ─────── ────
dilophosaurus-75339 app-staging.readyrosie.com 2022-01-26 03:45 UTC True ACM
Name Common Name(s) Expires Trusted Type
──────────────────── ────────────────────────── ──────────────────── ─────── ────
dromiceiomimus-28932 app-testing.readyrosie.com 2022-01-27 03:26 UTC True ACM
SOURCE for display-heroku-certs.bash
#!/usr/bin/bash
if [ -z "$1" ]
then
echo "USAGE: $0 <HEROKU-TEAM-NAME>"
echo "This script will display Heroku SSL Certificates for each App under the specified Team."
echo "The following teams are available for the currently logged in user:"
heroku teams
else
heroku apps -t $1 > heroku-apps.txt
tail -n +2 heroku-apps.txt | while read appname
do
heroku certs -a ${appname}
done
fi