HOW-TO: Heroku SSL Management using CLI, ACM, or Manual Certificates

From Tayledras
Jump to: navigation, search
Heroku

Useful Heroku Commands

Enabling Automated Certificate Management (ACM) in Heroku


Enabling ACM, Verifying Certs, and Verifying Domains

heroku certs:auto:enable --app readyrosie-server-production
heroku certs:remove --name mie-43657 --app readyrosie-server-production
heroku certs --app readyrosie-server-production
heroku domains --app readyrosie-server-production

Verifying Certificates as used in Heroku

## Using Heroku
heroku domains -a readyrosie-server-production
heroku certs:info -a readyrosie-server-production

## Using cURL
curl -vI https://app.readyrosie.com

## Using OpenSSL or Dig
openssl s_client -connect app.readyrosie.com:443
dig +short cname app.readyrosie.com

Other Useful Heroku Commands (Teams, Apps, Domains, Certificates)

## Display Heroku teams
heroku teams

farfaria     admin
ready-rosie  admin

## Display Heroku Apps for the specified Team
heroku apps -t ready-rosie

=== Apps in team ready-rosie
data-readyrosie-com
farfaria-testing
farfaria-ts
myts-8840-v2-rr-co
readyrosie-server-production
readyrosie-server-staging
readyrosie-server-testing
rubot-readyrosie-com
textchimp-rr-co
ts-hackathon-2020

## Display Heroku Domains for the specified App
heroku domains -a readyrosie-server-production

=== readyrosie-server-production Heroku Domain
readyrosie-server-production.herokuapp.com

=== readyrosie-server-production Custom Domains
Domain Name        DNS Record Type DNS Target                       SNI Endpoint
app.readyrosie.com CNAME           app.readyrosie.com.herokudns.com aptosaurus-33621

## Display Heroku Certificates for the specified Domain
heroku certs:info -a readyrosie-server-production

Fetching SSL certificate aptosaurus-33621 info for ⬢ readyrosie-server-production... done
Certificate details:
Common Name(s): app.readyrosie.com
Expires At:     2022-03-06 16:12 UTC
Issuer:         /C=US/O=Let's Encrypt/CN=R3
Starts At:      2021-12-06 16:12 UTC
Subject:        /CN=app.readyrosie.com
SSL certificate is verified by a root authority.

Enabling Manual Certificate Management in Heroku

Installing LetsEncrypt Certbot locally

In MacOS using brew 

brew install certbot</code></pre>In Linux:
sudo apt-add-repository ppa:certbot/certbotsudo apt install certbot

Creating a Manual Certificate using CertBot by LetsEncrypt

## Creating a Manual Certification
certbot certonly --manual --manual-auth-hook /tmp/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d app.readyrosie.com

Uploading a Manual Certificate into Heroku SSL

  1. From https://dashboard.heroku.com/apps/<app-name></app-name>/settings , click ADD CERTIFICATE from the SSL CERTICATE section.
  2. Use of Manual Certificates require that the SSL Manager be MANUAL rather than ACM (AUTOMATED CERTIFICATE MANAGEMENT). For use of ACM, see instructions on this page above.
  3. DISPLAY NAME should be the domain (ie app.readyrosie.com)
  4. Copy/Paste (or upload) the PUBLIC key.
  5. Copy/Paste (or upload) the PRIVATE key.
  6. Click FINISH to submit the SSL certificate which Heroku SSL will automatically verify and apply to the currently selected <app-name> displayed in the Heroku Dashboard.</app-name>

Useful Heroku Scripts

Example of displaying ALL Heroku certs by App/Team

./display-heroku-certs.bash ready-rosie 

./display-heroku-certs.bash ready-rosie
Name                Common Name(s)       Expires               Trusted  Type
──────────────────  ───────────────────  ────────────────────  ───────  ────
ankylosaurus-63957  data.readyrosie.com  2022-01-27 02:44 UTC  True     ACM
Name                  Common Name(s)                                 Expires               Trusted  Type
────────────────────  ─────────────────────────────────────────────  ────────────────────  ───────  ────
dromiceiomimus-34783  tsdev-testing-farfaria.teachingstrategies.com  2022-02-05 23:41 UTC  True     ACM
Name                Common Name(s)        Expires               Trusted  Type
──────────────────  ────────────────────  ────────────────────  ───────  ────
ankylosaurus-52133  stories.farfaria.com  2022-01-23 12:51 UTC  True     ACM
⬢ myts-8840-v2-rr-co has no SSL certificates.
Use heroku certs:add CRT KEY to add one.
Name              Display Name       Common Name(s)      Expires               Trusted  Type  Domains
────────────────  ─────────────────  ──────────────────  ────────────────────  ───────  ────  ───────
aptosaurus-33621  app.readyrose.com  app.readyrosie.com  2022-03-06 16:12 UTC  True     SNI   1
Name                 Common Name(s)              Expires               Trusted  Type
───────────────────  ──────────────────────────  ────────────────────  ───────  ────
dilophosaurus-75339  app-staging.readyrosie.com  2022-01-26 03:45 UTC  True     ACM
Name                  Common Name(s)              Expires               Trusted  Type
────────────────────  ──────────────────────────  ────────────────────  ───────  ────
dromiceiomimus-28932  app-testing.readyrosie.com  2022-01-27 03:26 UTC  True     ACM

SOURCE for display-heroku-certs.bash

#!/usr/bin/bash
if [ -z "$1" ]
  then
    echo "USAGE: $0 <HEROKU-TEAM-NAME>"
    echo "This script will display Heroku SSL Certificates for each App under the specified Team."
    echo "The following teams are available for the currently logged in user:"
    heroku teams
  else
    heroku apps -t $1 > heroku-apps.txt
    tail -n +2 heroku-apps.txt | while read appname
    do
      heroku certs -a ${appname}
    done
fi
Retrieved from "https://tayledras.com/wiki/index.php?title=HOW-TO:_Heroku_SSL_Management_using_CLI,_ACM,_or_Manual_Certificates&oldid=876"