Heroku Automated Certificate Management failed with one domain

Question

I am trying to get the SSL certification for my app with Heroku, but the Automated Certificate Management is failing for one of both domain names.

I created the dyno before March 2017, so I had to run heroku certs:auto:enable as explained here.

Then, heroku domains returns:

Domain Name         DNS Record Type  DNS Target
───────────────     ───────────────  ─────────────────────────────
example.com         ALIAS or ANAME   example.com.herokudns.com
www.example.com     CNAME            www.example.com.herokudns.com

This seems to be in line with what heroku expects.

Anyway, heroku certs:auto returns:

Domain             Status
───────────────    ────────────
example.com        Failing
www.example.com    OK          

I admit that I am quite illiterate for settings concerning domains, DNS and so on. Therefore, this might be a very simple mistake from my side. However, I read the Heroku troubleshooting documentation and also similar questions in SO such as a this one or this one and still have no clue what is wrong.

The fact that www.example.com is OK but example.com is failing just confuses me even more. And unfortunately, I received a notification email with no failure reason.

Namecheap

I guess the problem is either on Heroku or where I bought the domain. That is Namecheap.com.

There, at the Domain tab I have:

NAMESERVERS Namecheap BasicDNS

REDIRECT DOMAIN   Source URL     Destination
                  example.com    http://www.example.com

And at the Advanced DNS tab:

Type                  Host    Value                               TTL
-------------         -----   -------------------------------     -------
CNAME Record          www     example.com.herokudns.com           Automatic
TXT Record            @       google-site-verification...         Automatic
URL Redirect Record   @       http://www.example.com/ Unmasked

What am I doing wrong?

---

Update

The issue seems to be due to Namecheap. I found the following ticket on Heroku:

Issue

User is having trouble pointing their root domain (aka apex domain/naked domain) to their Heroku app, either with setting the right DNS records, or accessing it over HTTPS.

Resolution

Root domains on Heroku require the use of "CNAME-like" records, often referred to as ALIAS or ANAME records.

Unfortunately, a number of popular DNS hosts such as GoDaddy, Namecheap, Bluehost, and others do not support these types of records. Instead they tend to offer the following:

• A records

• URL redirects / forwarding

There are caveats with both of these options...

Surprisingly, I did not find any place where all the steps were explained clearly. What I did so far is:

1. Open an account with a DNS host that supports this. I took DNSimple. At the time of writing, prices start from 5€/month but there is a trial month for free.
2. Transfering the domain costs 14€/year, so I just pointed the name servers at Namecheap to DNSimple and added the domain to DNSimple to create the DNS records.

3. Then came the configuration on DNSimple. I followed the step 1 in the documentation to redirect HTTP to HTTPs; ignored the step 2, since Heroku's ACM had already done it; and for the step 3 the article Pointing the Domain Apex to Heroku was very helpful. I added manually an ALIAS record and I also added a CNAME record, like this:

   Type        Name                   Content
   ─────       ───────────────        ───────────────────────
   ALIAS       example.commyapp.com.herokudns.com
   CNAME       www.example.commyapp.com.herokudns.com
   

At the beginning nothing was working and the browser showed the following error:

This site can’t be reached

www.example.com’s server IP address could not be found.

Checking the troubleshotting documentation I saw that the only possibility was the Name server propagation delay, so I waited. It felt like a very long time, but it actually took less than one hour until the site got online again.

However, the SSL certification keeps failing more than 48 hours later...

Answer 1

For future reference: after contacting Heroku support, they manually refreshed my certificate request and it was finally issued for my app...

Answer 2

Check the answer here especially the CloudFlare solution as it is free

Automated certificate management also provisions you a free SSL cert from https everywhere. You don’t need to buy a cert.

However namecheap won’t work with ACM because they don’t allow an “alias” record for your “apex” domain I.e. your domain with no subdomain so https://example.com not https://www.example.com

Your options are switch to a dns registrar that supports an “alias” record such as dnsimple. They charge $5 a month in addition to the domain registration fee.

Or alternatively use a free cloudflare instance which comes with SSL.

If you already bought a cert there is a way to upload it to Heroku via an SSL addon.

I use both DNSimple/Heroku ACM on some apps and cloudflare on some others. Both are equally nice but cloudflare is free and gives you a CDN too.

https://www.reddit.com/r/Heroku/comments/7wh5r4/setting_up_ssl_with_heroku_namecheap/