How to obtain & install SSL certificate for Heroku in 15 mins

Heroku is a great hosting platform for modern, single page web applications. Nowadays, it is de-facto standard to secure your app or web with SSL/TLS, even for non-sensitive sites. Here’s a quick setup guide on how to obtain, download and install an SSL certificate and configure Heroku to work with it. All done in 15 minutes for $16/year (certificate) plus $20/month (Heroku SSL endpoint).

The Problem

My website (or web application) runs on Heroku on a non-SSL endpoint. I want the Heroku web app to run on https:// with a valid production certificate. I want this configuration to be simple and (ideally) inexpensive.

The Goal

Buy a production SSL certificate and secure the app with SSL/TLS.
Run my Heroku app named portadi-web on https://www.portadi.com (instead of http://).

The Steps

I don’t like paying for services which I feel are overpriced — and most certificate providers fit into this category. SSL certificates are expensive and difficult to get, manage, and deploy. Recently I used SSLMate. They charge $16 for a basic one-year certificate - a fair price in my view. While the procedure is not completely flawless, it is way better than in most of the traditional certification authorities.

1) Register on SSLMate

Go to https://www.sslmate.com and sign up for an account.

2) Install sslmate utility

You need to install the sslmate utility. On OS X, I tried recommended way, installing the utility through Homebrew, but it failed (I don’t know whether it was my misconfiguration or a bug). So I installed the dmg installation package SSLMate provides. Surprisingly, for a certificate authority, the package is not signed. Once you have an account and the sslmate utility installed, everything is smooth (provided you are familiar with the command line).

3) Buy certificate and download it

$ sslmate buy www.portadi.com

The sslmate utility prompts you to enter your username and password and asks you to choose an authorization method. I used email.

The nice thing about SSLmate is that the utility waits till you confirm the authorization via email and then automatically downloads all certificates and the key.

$ Waiting for ownership confirmation...

Your certificate is ready for use!

           Private key: www.portadi.com.key
           Certificate: www.portadi.com.crt
     Certificate chain: www.portadi.com.chain.crt
Certificate with chain: www.portadi.com.chained.crt  

4) Buy SSL endpoint on Heroku

Running SSL on your domain is a paid service on Heroku. If you haven’t done it yet, you need to buy an SSL endpoint for your web app (in this example I use portadi-web).

$ heroku addons:create ssl:endpoint —app=portadi-web

5) Install your downloaded SSL certificates on Heroku

$ heroku certs:add www.portadi.com.chained.crt www.portadi.com.key —app=portadi-web

Resolving trust chain... done  
Adding SSL Endpoint to portadi-web... done  
portadi-web now served by nara-8848.herokussl.com  

Note the herokussl endpoint. You will need to paste this info into your DNS in step 7.

6) Provide domain on Heroku

If you haven’t done it already, instruct Heroku which domain you want to be handled via SSL.

$ heroku domains:add www.portadi.com

7) Register a CNAME record with your DNS provider

Now configure a CNAME record for www.portadi.com that points to the herokussl endpoint which we got in step 5. In our case we use Dyn for DNS - here is our configuration:
Now you will need to wait couple of minutes up to two days your DNS change is fully propagated.

So there you have it, your heroic web app now runs on SSL (the spellchecker insists on renaming Heroku to heroic, so I’ll let him have it at last :-)

Resources
https://devcenter.heroku.com/articles/ssl-endpoint
https://sslmate.com/

comments powered by Disqus