Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Multiple SSL Certificates in One Heroku Application

Tags:

ssl

heroku

Is it possible to have many SSL certificates in the single Heroku Application ?

We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.

like image 203
Dallas Clark Avatar asked Nov 19 '12 05:11

Dallas Clark

People also ask

Can you have multiple SSL certificates for one server?

A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.

How many TLS termination certificates can an app on Heroku now access?

Add Multiple SSL/TLS Certificates to Apps Previously, an app on Heroku could only have one TLS termination certificate. This constraint has been relaxed starting with certificates generated with Heroku ACM.

Is SSL certificate free in Heroku?

Heroku now supports Let's Encrypt, a free way of generating SSL certificates. They call it Automated Certificate Management (or ACM in short). Although the certificate is free, you still need to upgrade your application to at leasta Hobby plan to use it.

Does Heroku have SSL certificate?

Heroku SSL is a combination of features that enables SSL for all Heroku apps. Heroku SSL uses Server Name Indication (SNI), an extension of the widely supported TLS protocol.

2 Answers

There is a way to have multiple SSL endpoints routing traffic to the same app.

An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.

You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:

  1. Add your domain name to your app:

    $ heroku domains:add ssl.example.com

  2. Create a new app:

    $ heroku create endpoint-for-example-com

  3. Add the SSL endpoint add-on ($20/mo):

    $ heroku addons:create ssl:endpoint --app endpoint-for-example-com

  4. Add your certificate to your new app:

     $ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint  Resolving trust chain... done  Adding SSL Endpoint to endpoint-for-example-com... done  endpoint-for-example-com now served by kagawa-1482.herokussl.example.com

  5. Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.

The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.

Notes:

  • This solution is not documented by Heroku, so it's possible that they would remove or change this behaviour in the future. Heroku have confirmed that this is safe for production use.
  • Be sure to create your endpoints in the same region as your primary app.
  • It might take a while for your DNS changes to take effect.
like image 175
Sam Oliver Avatar answered Sep 29 '22 04:09

Sam Oliver

Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.

heroku

Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot

certbot certonly --standalone -d example.com -d www.example.com -d test.net

You can refer to this heroku doc for uploading custom certificates.

like image 34
denixtry Avatar answered Sep 29 '22 04:09

denixtry
Sign in to Comment

Related questions

Create CSR using existing private key
Java SSLException: hostname in certificate didn't match
Authentication Test Servers
What does "SSL_CTX_use_PrivateKey_file" "problems getting password error" indicate in Nginx error log?
How can I install SSL on localhost in Ubuntu?
How can I decode a SSL certificate using python?
OpenSSL - error 18 at 0 depth lookup:self signed certificate
ssl.SSLError: tlsv1 alert protocol version
IISExpress cannot find ssl page running localhost with Visual Studio 2013
Pre-master secret mistmatched when implementing Diffie-Hellman key exchange
Does my JDBC connection to the database use SSL or not?
What means "javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation" and how to prevent it?
Should all sites use SSL by default?
NSURLSession "HTTP load failed kCFStreamErrorDomainSSL, -9813 ; Self signing certificate
iOS 9 app download from Amazon S3 SSL error: TLS 1.2 support
HTTPS Proxy Server in node.js
How to specify SSL protocol to use for WebClient class
What causes "Neither PUB key nor PRIV key:: nested asn1 error" when building a public key in ruby?
How to disable HTTP Strict Transport Security?
NodeJS & SSL - "bad password read"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!