Heroku ssl certs: Key could not be read since it's protected by a passphrase

Question

I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate

1. Copy server.key & server.orig.crt from DNSimple
2. Get root CA certificate with $ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
3. Concatenate into one file with cat server.orig.crt rapidssl_bundle.pem > server.crt

So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key. This gives the error

Key could not be read since it's protected by a passphrase.

The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:

1b. $ mv server.key server.orig.key

1c. $ openssl rsa -in server.orig.key -out server.key

However this gives the error

unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY

Which I suspect means there is no private key found.

Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?

Answer 1

I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.

I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:

$ heroku certs:add server.crt bundle.pem server.key

no matter what I did, I got this error:

$ Adding SSL Endpoint to mysite... failed
 !    Key could not be read since it's protected by a passphrase.
 !    Read instructions on how to remove the passphrase on:
 !    http://www.madboa.com/geek/openssl/#key-removepass`

I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.

First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.

The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli

Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.